Edit tour

Windows Analysis Report
geosetter_setup.exe

Overview

General Information

Sample name:	geosetter_setup.exe
Analysis ID:	1546439
MD5:	6c8aac98ac0f743037c412b513a6a3a6
SHA1:	e9b08b023e456bb39a20209e4a288cab1740b0a5
SHA256:	64d508b33c50c5a9fd695c0b328dab5519703db96c6e4580b8934c39431876ab
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Found API chain indicative of debugger detection

Queries Google from non browser process on port 80

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

geosetter_setup.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\geosetter_setup.exe" MD5: 6C8AAC98AC0F743037C412B513A6A3A6)

geosetter_setup.tmp (PID: 5284 cmdline: "C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp" /SL5="$20442,24249229,57856,C:\Users\user\Desktop\geosetter_setup.exe" MD5: 832DAB307E54AA08F4B6CDD9B9720361)

regsvr32.exe (PID: 3944 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 1576 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 1272 cmdline: /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

GeoSetter.exe (PID: 2300 cmdline: "C:\Program Files (x86)\GeoSetter\GeoSetter.exe" MD5: 010F18D793587CEB5E31D53455F461A1)

exiftool.exe (PID: 2352 cmdline: "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -listx MD5: CB2157B42F3AB50ED1A1977F995223E4)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

exiftool.exe (PID: 1968 cmdline: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -listx MD5: 44D73F3664153A38A9CD02F9DE9C3E69)

exiftool.exe (PID: 2232 cmdline: "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -lang MD5: CB2157B42F3AB50ED1A1977F995223E4)

conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

exiftool.exe (PID: 7056 cmdline: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -lang MD5: 44D73F3664153A38A9CD02F9DE9C3E69)

exiftool.exe (PID: 6004 cmdline: "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -ver MD5: CB2157B42F3AB50ED1A1977F995223E4)

conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

exiftool.exe (PID: 2140 cmdline: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -ver MD5: 44D73F3664153A38A9CD02F9DE9C3E69)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\GeoSetter\tools\is-V94I6.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\GeoSetter\is-07QKO.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.GeoSetter.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {7506374C-A693-427B-8DDD-99DAFB79433D}, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\regsvr32.exe, ProcessId: 3944, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\GeoSetterShellExt\(Default)

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T22:22:30.938036+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.5	49705	TCP
2024-10-31T22:23:10.163143+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.5	49918	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

Code function: 15_2_6DC0DD40 win32_crypt,Perl_get_context,

15_2_6DC0DD40

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION GeoSetter.exe

Jump to behavior

Source: geosetter_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.DisclaimerThis software is provided "as-is". No warranty of any kind is expressed or implied. You use at your own risk. The author will not be liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.FreewareThis program is freeware - that means you can download and copy it. You can even use it for commercial purposes however the sale of this software is prohibited.If you are an editor and wish to include GeoSetter on a magazine's CD or DVD please contact me.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.DisclaimerThis software is provided "as-is". No warranty of any kind is expressed or implied. You use at your own risk. The author will not be liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.FreewareThis program is freeware - that means you can download and copy it. You can even use it for commercial purposes however the sale of this software is prohibited.If you are an editor and wish to include GeoSetter on a magazine's CD or DVD please contact me.I &accept the agreementI &do not accept the agreement&Next >Cancel

Source: unknown

HTTPS traffic detected: 130.15.24.27:443 -> 192.168.2.5:49980 version: TLS 1.2

Source: geosetter_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose,	1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004531A4 FindFirstFileA,GetLastError,	1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049998C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC0AEB0 win32_opendir,strlen,Perl_safesyscalloc,strcpy,MultiByteToWideChar,Perl_get_context,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,strlen,Perl_safesysmalloc,strcpy,GetLastError,_errno,WideCharToMultiByte,_errno,_errno,Perl_safesysfree,_errno,_errno,	15_2_6DC0AEB0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC0BB70 win32_longpath,strcpy,FindFirstFileA,strcpy,FindClose,_errno,FindClose,_errno,	15_2_6DC0BB70
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_70845F80 PL_charclass,wcscpy,FindFirstFileW,wcslen,wcscpy,FindClose,_errno,FindClose,_errno,toupper,	15_2_70845F80
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_70845BA0 PL_charclass,_mbscpy,FindFirstFileA,_mbscpy,FindClose,toupper,_errno,FindClose,_errno,	15_2_70845BA0

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

Code function: 15_2_6560A76C Perl_get_context,Perl_get_context,Perl_get_context,GetLogicalDriveStringsA,Perl_get_context,Perl_get_context,Perl_get_context,Perl_get_context,Perl_get_context,Perl_sv_newmortal,Perl_get_context,Perl_sv_setuv,Perl_get_context,Perl_get_context,Perl_get_context,Perl_get_context,Perl_get_context,

15_2_6560A76C

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

Code function: 4x nop then mov eax, dword ptr [esp+04h]

15_2_6DC22F60

Networking

Queries Google from non browser process on port 80

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	HTTP traffic: GET /v3/map_google.html HTTP/1.1 Accept: / Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	HTTP traffic: GET /v3/json3.js HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	HTTP traffic: GET /v3/leaflet/leaflet.css HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	HTTP traffic: GET /v3/leaflet/leaflet.js HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Origin: http://map.geosetter.de Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	HTTP traffic: GET /v3/img/crosshair.gif HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive

Source: Joe Sandbox View

ASN Name: DE-WEBGOwwwwebgodeDE DE-WEBGOwwwwebgodeDE

Source: Joe Sandbox View

JA3 fingerprint: b22b3950835f7eba2f3be0917e4f949e

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49918

Source: global traffic	HTTP traffic detected: GET /~phil/exiftool/rss.xml HTTP/1.1Pragma: no-cacheHost: owl.phy.queensu.caAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: GET /v3/map_google.html HTTP/1.1Accept: /Accept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/json3.js HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/leaflet/leaflet.css HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/leaflet/leaflet.js HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Origin: http://map.geosetter.deAccept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/img/crosshair.gif HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

Code function: 15_2_6DC12390 win32_recvfrom,_get_osfhandle,recvfrom,win32_getpeername,WSAGetLastError,_errno,SetLastError,

15_2_6DC12390

Source: global traffic	HTTP traffic detected: GET /~phil/exiftool/rss.xml HTTP/1.1Pragma: no-cacheHost: owl.phy.queensu.caAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: GET /v3/map_google.html HTTP/1.1Accept: /Accept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/json3.js HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/leaflet/leaflet.css HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/leaflet/leaflet.js HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Origin: http://map.geosetter.deAccept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3/img/crosshair.gif HTTP/1.1Accept: /Referer: http://map.geosetter.de/v3/map_google.htmlAccept-Language: en-CHUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0)Accept-Encoding: gzip, deflateHost: map.geosetter.deConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: map.geosetter.de
Source: global traffic	DNS traffic detected: DNS query: owl.phy.queensu.ca

Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://abc.net.au/local/news/olympics/1999/07/item19990728112314_1.ht
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://abc.net.au/news/olympics/1999/06/item19990601114608_1.htm
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://abc.net.au/news/olympics/1999/07/item19990719151754_1.htm
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://abc.net.au/news/regionals/brokenh/monthly/regbrok-21jul1999-6.htm
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://abc.net.au/news/regionals/neweng/monthly/regeng-22jul1999-1.ht
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://actualidad.terra.es/sociedad/articulo/cuba_llama_ahorrar_energia_cambio_1957044.htm
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aif.az/docs/daylight_res.pdf
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://allafrica.com/stories/200703300178.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://almanakka.helsinki.fi/aikakirja/Aikakirja2007kokonaan.pdf
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://api.geonames.org
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ar.clarin.com/diario/2001-06-06/e-01701.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ar.clarin.com/diario/2001-06-06/e-01701.htmZ
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ar.clarin.com/diario/2001-06-12/s-03501.htm
Source: GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arabic.pnn.ps/index.php?option=com_content&task=view&id=508
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://arabic.pnn.ps/index.php?option=com_content&task=view&id=50850
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bdnews24.com/details.php?id=85889&cid=2
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bdnews24.com/details.php?id=85889&cid=H
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bdnews24.com/details.php?id=85889&cid=H#
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bmockbe.ru/events/?ID=7583
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://bsalsa.com/
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=4150
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cl.invertia.com/noticias/noticia.aspx?idNoticia=200801171849_EFE_ET4373&idtel
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://club.telepolis.com/silverpointdev/sptbxlib/
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dailymailnews.com/200808/28/news/dmbrn03.htH
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dailymailnews.com/200808/28/news/dmbrn03.html
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://diario.elmercurio.com/2011/03/28/_portada/_portada/noticias/7565897A-CA86-49E6-9E03-660B21A48
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dir.gis.nsw.gov.au/cgi-bin/genobject/document/other/daylightsaving/tigGmZ
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://earth.google.com/kml/2.1
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eng.gateway.kg/cgi-bin/page.pl?id=1&story_name=doc9979.shtml
Source: GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://english.pnn.ps/index.php?option=com_content&task=view&id=596&Itemid
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://english.pnn.ps/index.php?option=com_content&task=view&id=596&Itemid=5
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://english.pnn.ps/index.php?option=com_content&task=view&id=596&Itemid=5Z
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://eros.usgs.gov/#/Find_Data/Products_and_Data_Available/gtopo30_info
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://etan.org/et99c/december/26-31/30ETMAY.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0084:EN:NOT
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://g1.globo.com/bahia/noticia/2011/10/governador-jaques-wagner-confirma-horario-de-verao-na-bahi
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://home.no.net/janmayen/history.htm
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://in.reuters.com/article/southAsiaNews/idINIndia-40017620090601
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://in.reuters.com/article/southAsiaNews/idINIndia-400176200906d
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://inms-ienm.nrc-cnrc.gc.ca/images/time_services/TZ01SSE.j
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://inms-ienm.nrc-cnrc.gc.ca/images/time_services/TZ01SWE.j
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jornale.com.br/index.php?option=com_content&task=view&id=13530&Itemid=54
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jornale.com.br/index.php?option=com_content&task=view&id=13530&Itemid=5t%
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://madExcept.com
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://madExcept.comU
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://map.geosetter.de/v3/map_google.html
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://map.geosetter.de/v3/map_google.htmlSV
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://maps.google.com
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://media.enet.cu/radioreloj
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://media.enet.cu/radiorelot
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://met.no/met/met_lex/q_u/sommertid.html
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://midena.gov.ec/content/view/1261/208/
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://naviny.by/rubrics/society/2011/09/16/ic_articles_116_175144/
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://news.mail.ru/politics/6861560/
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://news.sinhalaya.com/wmview.php?ArtID=11002
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://news.tut.by/society/250578.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://newspot.byegm.gov.tr/arsiv/1996/21/N4.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://noticias.terra.com.br/brasil/noticias/0
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://palvoice.org/forums/showthread.php?t=245697
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/DEC3592.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/Dec3630.jpg
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/Dec3632.jpg
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/DecHV.h$#
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/DecHV.html
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/DecHV5539.gif
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/DecHV5920.gif
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/DecHV6212.gif
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/DecHV99.gif
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/Fusbr.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/Fusbrhv.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HISTHV.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV1252.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV1636.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV1674.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV1991.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV1992.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV2000.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV20466.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV21896.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV23195.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV27496.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV27998.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV32308.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV34724.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV52700.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV53071.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV53604.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV55639.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV57303.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV57843.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV63429.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV91698.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV942.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV94922.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV96676.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV98077.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/HV99530.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/figuras/HV2495.JPG
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/figuras/HV3150.gif
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/figuras/HV3916.gif
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/figuras/Hv98.jpg
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pcdsh01.on.br/verao1.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://petra.gov.jo/Artical.aspx?Lng=2&Section=8&Artical=95279
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://portal.rada.gov.ua/rada/control/en/publish/article/info_left?art_id=287324&cat_id=105995
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rega.basbakanlik.gov.tr/eskiler/2007/03/20070307-7.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ru.publika.md/link_317061.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sana.sy/ara/2/2008/10/07/195459.htm
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sns.sy/sns/?path=news/read/11421
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://star.arabia.com/990701/JO9.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://star.arabia.com/990930/JO9.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://story.philippinetimes.com/p.x/ct/9/id/145be20cc6b121c0/cid/3e5bbccc730d258c/
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://student.cusu.cam.ac.uk/~jsm28/british-time/
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://student.cusu.cam.ac.uk/~jsm28/british-time/bbc-19410418.png
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://student.cusu.cam.ac.uk/~jsm28/british-time/ho-19410421.
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://student.cusu.cam.ac.uk/~jsm28/british-time/ho-19410421.png
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://student.cusu.cam.ac.uk/~jsm28/british-timeT
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://thawra.alwehda.gov.sy/_View_news2.asp?FileName=94459258720090318012209
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://tile.stamen.com/terrain-background
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://tile.stamen.com/terrain-backgroundSVW
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://today.reuters.co.uk/news/newsArticle.aspx?type=scienceNews&storyID=2006-04-12T172228Z_01_COL2
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://toi.iriti.cnr.it/uk/ienitlt.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://trip.rk.ee/cgi-bin/thw?$
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ubpost.mongolnews.mn/index.php?subaction=showcomments&id=1111634894&archive=&start_from=&ucat
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483542296.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://uk.reuters.com/article/oilRpt/idUKBLA65048420070916
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://w1.c1.rada.gov.ua/pls/zweb_n/webproc4_1?id=&pf3511=41484
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wehda.alwehda.gov.sy/_print_veiw.asp?FileName=12521710520070926111247
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ws.geonames.net
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ws.geonames.net/viewAccount?username=%s&token=%s
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ws.geonames.net/viewAccount?username=%s&token=%sSV
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.abc.com.pl/serwis/mp/1995/0162.hp)
Source: GeoSetter.exe, 00000007.00000003.2485048789.0000000009610000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.abc.com.pl/serwis/mp/1995/0162.htm
Source: GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.abcnews.go.com/International/wireStory?id=56760
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.abcnews.go.com/International/wireStory?id=5676087
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aljeeran.net/wesima_articles/news-20080305-98602.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.allmoldova.com/moldova-news/1249064116.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.alomaliye.com/bkk_2002_3769.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apakistannews.com/govt-withdraws-plan-to-advance-clocks-172041
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apakistannews.com/govt-withdraws-plan-to-advance-clocks-172T6
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=73043&Itemid=
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=73043&Itemid=1
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=73043&Itemid=1P%
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=86715&Itemid=
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=86715&Itemid=2
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=86715&Itemid=2x
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=99374&Itemid=
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=99374&Itemid=2
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.arabtimesonline.com/arabtimes/kuwait/Viewdet.asp?ID=9950
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.argentina.gob.ar/argentina/portal/paginas.dhtml?pagina=356
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.asiantribune.com/?q=node/17288
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.astro.com/atlas
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.astro.uni.torun.pl/~kb/Artykuly/U-PA/Czas2.htm#tth_tAb
Source: GeoSetter.exe, 00000007.00000003.2485048789.0000000009610000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.astro.uni.torun.pl/~kb/Artykuly/U-PA/Czas2.htm#tth_tAb1
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.aswataliraq.info/look/article.tpl?id=2047&IdLanguage=17&IdPublication=4&NrArticle=71743&N
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baltictimes.com/
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bartleby.com/65/sv/Svalbard.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.belta.by/ru/all_news/society/V-Belarusi-otmenjaetsja-perexod-na-sezonnoe-vremja_i_572952.
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.boletinoficial.gov.ar/Bora.Portal/CustomControls/PdfContent.aspx?fp=16102008&pi=3&pf=4&s=
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.boletinoficial.gov.ar/Bora.Portal/CustomControls/PdfContent.aspx?fp=17102008&pi=1&pf=1&s=
Source: GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bom.gov.au/climate/averages/tables/dst_times.shtml
Source: GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bom.gov.au/faq/faqgen.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING2000/03/00X03X06.HTM#%2021
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING2001/03/23x03x01.HTM#%2027
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING97/03/97X03X25.TXT
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING98/03/98X03X02.HTM
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING99/10/99X10X26.HTM#%2016
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.canadiangeographic.ca/Magazine/SO98/geomap.
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cddhcu.gob.mx/bibliot/publica/inveyana/polisoc/horver/(
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.clarin.com.ar/diario/2001-06-22/s-03601.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.clarin.com.ar/diario/2001-06-22/s-03601.htmV
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cwb.gov.tw/V6/astronomy/cdata/summert.h
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cwb.gov.tw/V6/astronomy/cdata/summert.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1_4
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dawn.com/2002/10/06/top13.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dawn.com/2003/03/07/top15.T
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dawn.com/2003/03/07/top15.htm
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.delphizip.org
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dhm.de/lemo/html/biografien/BersarinNikolai/
Source: GeoSetter.exe, 00000007.00000003.2484591039.0000000009613000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Daylight-Saving-Daylight-saving-to-be-exten
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.diariocolatino.com/internacionales/detalles.asp?NewsID=8079
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.diarionoticias.com.py/011000/nacional/naciona1.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.diputadossanluis.gov.ar/diputadosasp/paginas/verNorma.asp?NormaID=276
Source: geosetter_setup.tmp, 00000001.00000003.2459216915.00000000021E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dlapr.lib.az.us/links/daylight.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.eldiariodelarepublica.com/index.php?option=com_content&task=view&id=29383&Itemid=9
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.elnuevodiario.com.ni/2006/05/01/nacionales/1841
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.elta.lt/
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.emol.com/noticias/nacional/detalle/detallenoticias.asp?idnoticia=467651
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.eznis.com/Container.jsp?id=
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.eznis.com/Container.jsp?id=112
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2487531261.0000000009612000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.falklandnews.com/public/story.cfm?get=5914&source=3
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.famfamfam.com
Source: GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fiji.gov.fj/index.php?option=com_content&view=article&id=1096:3310-cabinet-approves-chang
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fjysgl.gov.cn/show.aspx?id=2379&cid
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fjysgl.gov.cn/show.aspx?id=2379&cid=39
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fjysgl.gov.cn/show.aspx?id=2379&cid=39t
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.friedemann-schmidt.com/geosetter/gmap21.html
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geonames.org
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geonames.org/account
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geonames.org/login
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geonames.org/services.html
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.de
Source: geosetter_setup.exe, 00000000.00000003.2053065082.00000000020A4000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.exe, 00000000.00000003.2461969425.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.tmp, 00000001.00000003.2054977128.00000000021CC000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.tmp, 00000001.00000003.2458860762.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.tmp, 00000001.00000003.2459808738.00000000021D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.geosetter.de&
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.de/donation-de/
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.de/donation-de/openhttp://www.geosetter.de/en/donation-en/S
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.de/en/donation-en/
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.de/geosetter_beta.exeU
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.de/languages/
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.de4http://www.geosetter.de/en
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.deDhttp://www.geosetter.de/changes-de4http://www.geosetter.de/enJhttp://www.geo
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.geosetter.deTPF0
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.globovision.com/news.php?nid=72208
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gobernac.mendoza.gov.ar/boletin/pdf/20040521-27158-normas.pdf
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gobernac.mendoza.gov.ar/boletin/pdf/20040924-27244-normas.pdf
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gobiernodechile.cl/viewNoticia.aspx?idArticulo=3009
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gobiernodechile.cl/viewNoticia.aspx?idArticulo=30098
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.google.com/kml/ext/2.2
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gov.mu/portal/goc/assemblysite/file/bill2708.pd
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2482907104.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gov.mu/portal/goc/assemblysite/file/bill2708.pdf
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2482907104.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gov.mu/portal/site/pmosite/menuitem.4ca0efdee47462e7440a600248a521ca/?content_id=4728ca68
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gov.on.ca/MBS/english/publications/statregs/conttext.html
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gov.yk.ca/legislation/regs/oic1987_056.0
Source: GeoSetter.exe, 00000007.00000003.2485171150.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486091069.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.government.ru/content/governmentactivity/rfgovernmentdecisions/archiv
Source: GeoSetter.exe, 00000007.00000003.2485171150.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486091069.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.government.ru/content/governmentactivity/rfgovernmentdecisions/archive/2009/09/14/991633.
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.gpsbabel.org
Source: GeoSetter.exe, 00000007.00000003.2486867873.0000000009610000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.granma.cu/espanol/2005/noviembre/mier9/horario.html
Source: GeoSetter.exe, 00000007.00000003.2486867873.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.granma.cu/ingles/2004/septiembre/juev30/41medid-i.h
Source: GeoSetter.exe, 00000007.00000003.2486867873.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.granma.cu/ingles/2006/octubre/lun16/43horario.h
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.granma.cubaweb.cu/2007/10/24/nacional/artic07.h
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.granma.cubaweb.cu/english/news/art89.html
Source: GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.guardian.co.uk/world/feedarticle/775900
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.guardian.co.uk/world/feedarticle/7759001
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hko.gov.hk/gts/time/Summertime.
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hko.gov.hk/gts/time/Summertime.htm
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hko.gov.hk/gts/time/Summertime.htmH
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hko.gov.hk/gts/time/Summertime.htmH7
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.horaoficial.cl/cambio.h
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.horaoficial.cl/cambio.hP
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.horaoficial.cl/cambio.hp
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.horaoficial.cl/cambio.htm
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.horaoficial.cl/horaof.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hoy.com.ec/NoticiaNue.asp?row_id=249856
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hri.org/news/world/undh/last/00-08-16.undh.htmD
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hri.org/news/world/undh/last/00-08-16.undh.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hum.aau.dk/~poe/tid/tine/DanskTid.htm
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hup.harvard.edu/catalog/HEISUN.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.hurriyet.com.tr/ekonomi/17230464.asp?gid=373
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iht.com/articles/ap/2007/03/29/africa/ME-GEN-Syria-Time-Change.php
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.in.gov.br/visualiza/index.jsp?data=13/10/2011&jornal=1000&pagina=6&totalArquivos=6
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.in.gov.br/visualiza/index.jsp?data=13/10/2011&jornal=1000&pagina=6&totalArquivos=60
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: geosetter_setup.tmp, geosetter_setup.tmp, 00000001.00000000.2054211311.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.irishstatutebook.ie/ZZA13Y1923.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483542296.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.irna.ir/en/news/view/line-17/0603193812164948.h
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.irna.ir/en/news/view/line-17/0603193812164948.htm
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20050810f2.htm
Source: GeoSetter.exe, 00000007.00000003.2486867873.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jonesbahamas.com/?c=45&a=10
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jpost.com/MiddleEast/Article.aspx?id=235650
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jpost.com/com/Archive/22.Apr.1999/Opinion/Article-2.html
Source: geosetter_setup.exe, geosetter_setup.exe, 00000000.00000002.2462074891.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: geosetter_setup.exe, 00000000.00000002.2462074891.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.jrsoftware.org/isinfo.php
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jujuy.gov.ar/index2/partes_prensa/18_10_08/235-181008.doc
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kazsociety.org.uk/news/2005/03/30.htm
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.koreaherald.co.kr/SITE/data/html_dir/2006/07/10/200607100012.asp
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kyivpost.ua/russia/news/pridnestrove-otkazalos-ot-perehoda-na-zimnee-vremya-30954.html
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lagaceta.com.ar/vernotae.asp?id_nota=253414
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lanacion.com.ar/04/05/27/de_604825.asp
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lanacion.com.ar/04/05/28/de_605203.asp
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lanacion.com.ar/04/06/10/de_609078.asp
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lanacion.com.ar/nota.asp?nota_id=1107912
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lapalmainteractivo.com/guias/content/gen/ap/America_Latina/AMC_GEN_NICARAGUA_HORA.h
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2482907104.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lexpress.mu/display_article.php?news_id=111216
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lexpress.mu/display_article.php?news_id=111X
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.locr.com
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.locr.com/api
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.locr.com/photo/album/albums.php?album_id=%s
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.locr.com/user/my_page/my_photos_edit.php
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.locr.com/user/my_page/my_photos_edit.phpopen
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.locr.com/user_create.php
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.locr.comTPF0
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lovdata.no/all/nl-18940629-001.html
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lovdata.no/all/nl-19250717-011.html
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lovdata.no/all/nl-19300227-002.html).
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lrvk.lt/nut/11/n1749.ht
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lrvk.lt/nut/11/n1749.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lv-laiks.lv/wwwraksti/2000/071072/vd4.htm
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.maannews.net/eng/ViewDetails.aspx?ID=271178
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.maannews.net/eng/ViewDetails.aspx?ID=306795
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.maannews.net/eng/ViewDetails.aspx?ID=416217
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.maannews.net/eng/ViewDetails.aspx?ID=424808
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.madshi.net
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.manilastandardtoday.com/?page=politics02_april26_2006
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.math.nus.edu.sg/aslaksen/teaching/timezone.html
Source: GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mcil.gov.ws/mcil_publications.h
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mme.gov.br/firs
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mme.gov.br/first
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mme.gov.br/site/news/detail.do;jsessionid=BBA06811AFCAAC28F0285210913513DA?newsId=13975
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mme.gov.br/site/news/detail.do;jsessionid=BBA06811AFCAAC28F0285210913513DA?newsId=139750
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mme.gov.br/site/news/detail.do?newsId=1672
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mme.gov.br/site/news/detail.do?newsId=16722
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.moi.gov.ps/en/?page=633167343250594025&nid=11505
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mongoliatourism.gov.mn/general.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mongolnews.mn/index.php?module=unuudur&sec=view&id=1574$
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mongolnews.mn/index.php?module=unuudur&sec=view&id=15742
Source: GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.morningstar.co.uk/uk/markets/newsfeeditem.aspx?id=1385019583479
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.mustangpeak.net
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.mytopo.com
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.news.lk/
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nineoclock.ro/POL/1778pol.html
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nnc.cubaweb.cu/marzo-2008/cien-1-11-3-08.ht
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nnc.cubaweb.cu/marzo-2008/cien-1-11-3-08.htm
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nnsl.com/frames/newspapers/2006-11/nov13_06none.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ntvmsnbc.com/news/402029.asp
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nunatsiaq.com/archives/nunavut001130/nvt21110_02.html
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nunatsiaq.com/archives/nunavut991130/nvt91119_17.html
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nunatsiaq.com/nunavut/nvt10309_06.html
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nunatsiaq.com/nunavut/nvt90903_13.html
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nunavut.com/basicfacts/english/basicfacts_1territory.html
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.openstreetmap.org
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pak.gov.pk/public/news/app/app06_dec.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pak.gov.pk/public/news/app/app06_dec.htp
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.parlament-berlin.de/pds-fraktion.nsf/727459127c8b66ee8525662300459099/defc77cb784f180ac12
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.parliament.the-stationery-office.co.uk/pa/ld199697/ldhansrd/pdvn/lds97/text/70611-20.htm#
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.petranews.gov.jo/nepras/2006/Sep/05/4000.htm
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.petranews.gov.jo/nepras/2006/Sep/05/4000.htmN
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pettswoodvillage.co.uk/Daylight_Savings_William_Willett.pdf
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/idl/idl.htm
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/wettijd/wettijd.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.planalto.gov.br/ccivil_03/_Ato2004-2006/2004/Decreto/D5223.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.planalto.gov.br/ccivil_03/_Ato2007-2010/2008/Decreto/D6558.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pravda.com.ua/rus/news/2011/09/20/6600616/
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.prensalatina.com.mx/article.asp?ID=%7B4CC32C1B-A9F7-42FB-8A07-8631AFC923AF%7D&language=D)
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gob.ni/Presidencia/Files_index/Secretaria/Notas%20de%20Prensa/Presidente/2005
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gob.ni/buscador_gaceta/BD/DECRETOS/2005/Decreto%2023-2005%20Se%20adelanta%20e
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gob.ni/presidencia/files_index/secretaria/comunicados/2005/septiembre/26septi
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gov.br/CCIVIL/decreto/2002/D4399.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gov.br/CCIVIL/decreto/2003/D4844.htm
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gov.py/decretos/D1867.pdf
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gov.py/v1/wp-content/uploads/2010/02/decreto3958.pd
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gov.py/v1/wp-content/uploads/2010/02/decreto3958.pdf
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gub.uy/_Web/decretos/2005/09/CM%20119_09%2009%202005_00001.PDF
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gub.uy/_Web/noticias/2005/03/2005031005.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gub.uy/_web/decretos/2006/09/CM%20210_08%2006%202006_00001.PDF
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.presidencia.gub.uy/decretos/2004091502.htm
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ptb.de/de/org/4/44/441/salt.htm
Source: GeoSetter.exe, 00000007.00000003.2486867873.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.qp.gov.sk.ca/documents/English/Statutes/Statutes/T14.pd
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.radiohc.cu/espanol/noticias/mar07/11mar/hor.htD2
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.radiohc.cu/espanol/noticias/mar07/11mar/hor.htD2O
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.radiohc.cu/espanol/noticias/mar07/11mar/hor.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.regnum.ru/news/polit/1413906.html
Source: geosetter_setup.exe, 00000000.00000003.2053379279.0000000002470000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.exe, 00000000.00000003.2053568971.00000000020EC000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.tmp, geosetter_setup.tmp, 00000001.00000000.2054211311.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: geosetter_setup.exe, 00000000.00000003.2053379279.0000000002470000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.exe, 00000000.00000003.2053568971.00000000020EC000.00000004.00001000.00020000.00000000.sdmp, geosetter_setup.tmp, 00000001.00000000.2054211311.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.retsinfo.dk/_GETDOCI_/ACCN/A18930008330-REGL
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.retsinfo.dk/_GETDOCI_/ACCN/A19722110030-REGL
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.retsinfo.dk/_GETDOCI_/ACCN/A19740022330-REGL
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.retsinfo.dk/_GETDOCI_/ACCN/C19801120554-REGL
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rferl.org/newsline/2001/01/3-CEE/cee-030101.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.riksdagen.se/english/work/sfst.asp
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.safa.ps/ara/?action=showdetail&seid=4158
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sana.sy/ara/2/2009/09/29/247012.htm
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sana.sy/eng/21/2008/03/11/165173.htm
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sana.sy/eng/21/2008/03/11/165173.htmZ
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sana.sy/eng/21/2009/03/17/217563.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sanjuan.gov.ar/prensa/archivo/000329.html
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sanjuan.gov.ar/prensa/archivo/000426.html
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sanjuan.gov.ar/prensa/archivo/000441.html
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sanluis.gov.ar
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sanluis.gov.ar/SL/Paginas/NoticiaDetalle.asp?TemaId=1&InfoPrensaId=3102
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sanluis.gov.ar/notas.asp?idCanal=0&id=22812
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sanluis.gov.ar/notas.asp?idCanal=8141&id=22834
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.segodnya.ua/news/14290482.html
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.senat.gov.pl/k5/dok/sejm/053/2180.pdf
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.shoa.cl/noticias/2008/04hora/hora.hp
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.shoa.cl/noticias/2008/04hora/hora.htm
Source: GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.shoa.cl/servicios/supremo316.pd
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.shoa.cl/servicios/supremo316.pdf
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.shrine.org.
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sieca.org.gt/Sitio_publico/Energeticos/Doc/Medidas/Cambio_Horario_Nac_190406.pdf
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.smh.com.au/news/9905/26/pageone/pageone4.html
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.sno.phy.queensu.ca/~phil/exiftool/
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spicasc.net/horvera.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.statkart.no/efs/efshefter/2001/efs5-2001.pdf
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sumatera-inc.com/go_to_invest/about_indonesia.asp#standtim
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sumatera-inc.com/go_to_invest/about_indonesia.asp#standtime
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.svalbard.com/SvalbardFAQ.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thaindian.com/newsportal/business/bangladesh-to-continue-indefinitely-with-advanced-time_
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.thany.org/
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.theage.com.au/news/national/daylight-savings-to-span-six-months/2007/06/27/1182623966703.
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedailystar.net/newDesign/latest_news.php?nid=2281
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedailystar.net/newDesign/latest_news.php?nid=22817
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedailystar.net/newDesign/news-details.php?nid=107021
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedailystar.net/newDesign/news-details.php?nid=107P
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedailystar.net/newDesign/news-details.php?nid=107P_M#
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedailystar.net/newDesign/news-details.php?nid=119228
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedailystar.net/newDesign/news-details.php?nid=119P
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thelaw.tas.gov.au/fragview/42
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thenews.com.pk/daily_detail.asp?id=17120#
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thenews.com.pk/daily_detail.asp?id=171280
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thenews.com.pk/top_story_detail.asp?Id=2474
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thenews.com.pk/top_story_detail.asp?Id=24742
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thenews.com.pk/updates.asp?id=8716
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thenews.com.pk/updates.asp?id=87168
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thenews.com.pk/updates.asp?id=87168L)
Source: GeoSetter.exe, 00000007.00000003.2486867873.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060529/NEWS/105290P0
Source: GeoSetter.exe, 00000007.00000003.2486867873.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060529/NEWS/105290P0;(#
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/bangladesh-daylight-saving-2009.h
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/bangladesh-daylight-saving-2009.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/bangladesh-daylight-saving-2009.htmld
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/brazil-dst-2008-2009.htm
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/brazil-dst-2008-2009.html
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/cuba-starts-dst-march-16.html
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/cuba-starts-dst-march-16.htmt/
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/cuba-starts-dst-march-16.htmt/WD#
Source: GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/fiji-dst-ends-march-2010.htm
Source: GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/fiji-dst-ends-march-2010.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/pakistan-ends-dst09.h
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/pakistan-ends-dst09.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/palestine-dst-2011.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/syria-dst-starts-march-27-2009.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/westbank-gaza-dst-2009.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/news/time/westbank-gaza-end-dst-2010.html
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/worldclock/city.html?n=102
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/worldclock/city.html?n=1026
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/worldclock/timezone.html?n=107
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/worldclock/timezone.html?n=11
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.timeanddate.com/worldclock/timezone.html?n=116
Source: GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.tongatapu.net.to/tonga/homeland/timebegins.htm
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.tourism.lt/informa/ff.htm
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.turksandcaicos.tc/calendar/index.htm
Source: GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ucalgary.ca/UofC/departments/UP/1-55238/1-55238-110-2.html
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uphere.ca/node/4938R
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uphere.ca/node/4938R/
Source: GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uphere.ca/node/dR
Source: GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winstonchurchill.org/fh114willett.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldbulletin.net/?aType=haber&ArticleID=70872
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimeserver.com/current_time_in_MN.aspL
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimeserver.com/current_time_in_MN.aspx
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.c.
Source: GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/brazil-time-new-old.p
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/brazil-time-new-old.php
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_argentina08.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh02.htP
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh02.htP_L#
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh02.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh04.ht
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh04.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh05.ht$
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh05.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh06.ht
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_bangladesh06.html
Source: GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_cuba03.html8
Source: GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_gazastrip01.htm
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_gazastrip01.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_gazastrip02.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_gazastrip05.html
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_mauritius02.htm
Source: GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2482907104.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_mauritius02.html
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_pakistan02.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_pakistan02.html
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_pakistan05.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_pakistan05.html
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_pakistan07.D
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_pakistan07.htm
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486091069.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_russia03.html
Source: GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_westbank01.htmX3
Source: GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_westbank01.htmX3K9#
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_westbank01.html
Source: GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.com/dst_news/dst_news_westbank03.html
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.net/dst_news/dst_news_argentina02.html
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.net/dst_news/dst_news_pakistan01.htm
Source: GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.worldtimezone.net/dst_news/dst_news_pakistan01.html
Source: GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yle.fi/elavaarkisto/?s=s&g=1&ag=5&t=&a=3401
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zoomin.de
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zoomin.de/hilfe/spezielle-funktionen/geosetter/
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zoomin.de/hilfe/spezielle-funktionen/geosetter/openU
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zoomin.de/registrieren
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zoomin.deopen
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zoomin.deopenU
Source: GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www2.jpl.nasa.gov/srtm/
Source: GeoSetter.exe, 00000007.00000003.2517124090.0000000008D6F000.00000004.00000020.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2549685981.000000000A5D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://leafletjs.com
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://owl.phy.queensu.ca/~phil/exiftool/rss.xml
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/proxytest.dat
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/proxytest.datU
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/languages/
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/languages/versions
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_beta
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_beta_release_date
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_locr
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_locr_release_date
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_release_date
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_release_dateU
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_zoomin
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.geosetter.de/update/version_zoomin_release_date
Source: GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.in.gov.br/imprensa/visualiza/index.jsp?jornal=do&secao=1&pagina=1&data=25/04/2008

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443

Source: unknown

HTTPS traffic detected: 130.15.24.27:443 -> 192.168.2.5:49980 version: TLS 1.2

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00423FD4 NtdllDefWindowProc_A,	1_2_00423FD4
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00412A28 NtdllDefWindowProc_A,	1_2_00412A28
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0042F9C0 NtdllDefWindowProc_A,	1_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00479D08 NtdllDefWindowProc_A,	1_2_00479D08
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00457D90 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_00457D90

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_0042ED84: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042ED84

Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455D80

Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_00408888	0_2_00408888
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00468034	1_2_00468034
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00471688	1_2_00471688
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00488030	1_2_00488030
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0046A088	1_2_0046A088
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00452100	1_2_00452100
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0043E1F0	1_2_0043E1F0
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004307FC	1_2_004307FC
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00444968	1_2_00444968
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00434A64	1_2_00434A64
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00444F10	1_2_00444F10
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00488F90	1_2_00488F90
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00431388	1_2_00431388
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00445608	1_2_00445608
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0048F6BC	1_2_0048F6BC
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00435768	1_2_00435768
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0045F8C0	1_2_0045F8C0
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0045B970	1_2_0045B970
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00445A14	1_2_00445A14
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Code function: 9_2_00402C00	9_2_00402C00
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Code function: 9_2_00401560	9_2_00401560
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_00404580	15_2_00404580
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_62D841C0	15_2_62D841C0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_62D89890	15_2_62D89890
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_62D84DAC	15_2_62D84DAC
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_65601B39	15_2_65601B39
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A0E690	15_2_66A0E690
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A014C0	15_2_66A014C0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A100D9	15_2_66A100D9
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A0F868	15_2_66A0F868
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A0D475	15_2_66A0D475
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A0A5C0	15_2_66A0A5C0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A06F21	15_2_66A06F21
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAEEDC0	15_2_6DAEEDC0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBAAD50	15_2_6DBAAD50
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB86CF2	15_2_6DB86CF2
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAF4CF0	15_2_6DAF4CF0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DACAC25	15_2_6DACAC25
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAF2C6B	15_2_6DAF2C6B
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DADAC7B	15_2_6DADAC7B
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB14F89	15_2_6DB14F89
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC0CF20	15_2_6DC0CF20
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC1CF30	15_2_6DC1CF30
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE6F5C	15_2_6DAE6F5C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE2E70	15_2_6DAE2E70
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB8A91D	15_2_6DB8A91D
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB148B3	15_2_6DB148B3
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBBE870	15_2_6DBBE870
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBC2BA0	15_2_6DBC2BA0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBBCBE0	15_2_6DBBCBE0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE6B20	15_2_6DAE6B20
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAF2AB3	15_2_6DAF2AB3
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB04A95	15_2_6DB04A95
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBCC5A0	15_2_6DBCC5A0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBC2590	15_2_6DBC2590
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB1452B	15_2_6DB1452B
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAF849C	15_2_6DAF849C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB7C4F0	15_2_6DB7C4F0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAFE4E0	15_2_6DAFE4E0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAF24FA	15_2_6DAF24FA
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC164B0	15_2_6DC164B0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC12460	15_2_6DC12460
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB9A41B	15_2_6DB9A41B
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB3C36C	15_2_6DB3C36C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAF8693	15_2_6DAF8693
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAEC1D1	15_2_6DAEC1D1
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBCA130	15_2_6DBCA130
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB2C120	15_2_6DB2C120
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB0A100	15_2_6DB0A100
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE8140	15_2_6DAE8140
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB58142	15_2_6DB58142
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB3E0BC	15_2_6DB3E0BC
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBBE3C0	15_2_6DBBE3C0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB3C36C	15_2_6DB3C36C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBAC340	15_2_6DBAC340
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE42EC	15_2_6DAE42EC
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB082E0	15_2_6DB082E0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB32260	15_2_6DB32260
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB68260	15_2_6DB68260
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB3824C	15_2_6DB3824C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB2FC99	15_2_6DB2FC99
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB0BCD0	15_2_6DB0BCD0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBC5C00	15_2_6DBC5C00
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAEBF23	15_2_6DAEBF23
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB43EF0	15_2_6DB43EF0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAEBE30	15_2_6DAEBE30
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE5921	15_2_6DAE5921
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE794C	15_2_6DAE794C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE5952	15_2_6DAE5952
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE58BF	15_2_6DAE58BF
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE588E	15_2_6DAE588E
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAC98EC	15_2_6DAC98EC
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB518F0	15_2_6DB518F0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE58F0	15_2_6DAE58F0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBAF870	15_2_6DBAF870
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC13810	15_2_6DC13810
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE585D	15_2_6DAE585D
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB37B80	15_2_6DB37B80
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE9A90	15_2_6DAE9A90
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB43A50	15_2_6DB43A50
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAEF4BC	15_2_6DAEF4BC
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE74D0	15_2_6DAE74D0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE57AA	15_2_6DAE57AA
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAE57E9	15_2_6DAE57E9
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB3D7FA	15_2_6DB3D7FA
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB577C9	15_2_6DB577C9
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBB56F0	15_2_6DBB56F0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB35630	15_2_6DB35630
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB99600	15_2_6DB99600
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DACB18E	15_2_6DACB18E
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC25099	15_2_6DC25099
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DAFB0D8	15_2_6DAFB0D8
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC1D060	15_2_6DC1D060
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DB57069	15_2_6DB57069
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DBCD050	15_2_6DBCD050
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC152C0	15_2_6DC152C0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DACD22B	15_2_6DACD22B

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00446274 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00453AAC appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 0043497C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00458718 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 0040905C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00407D44 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00446544 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 0045850C appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 0040357C appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00406F14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: String function: 00403684 appears 229 times
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: String function: 6DC137D0 appears 35 times

Source: geosetter_setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: geosetter_setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: geosetter_setup.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-1BDNO.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-1BDNO.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-1BDNO.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-07QKO.tmp.1.dr	Static PE information: Resource name: RT_STRING type: PDP-11 separate I&D executable not stripped

Source: is-5LPT9.tmp.1.dr	Static PE information: Number of sections : 14 > 10
Source: is-LEN5V.tmp.1.dr	Static PE information: Number of sections : 11 > 10

Source: geosetter_setup.exe, 00000000.00000003.2053379279.0000000002470000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs geosetter_setup.exe
Source: geosetter_setup.exe, 00000000.00000003.2053568971.00000000020EC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs geosetter_setup.exe

Source: geosetter_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus24.evad.winEXE@26/1166@2/2

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

Code function: 15_2_6DC0E060 win32_str_os_error,FormatMessageA,LocalAlloc,GetLastError,sprintf,Perl_get_context,Perl_sv_setpvn,LocalFree,

15_2_6DC0E060

Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	1_2_00455D80
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_70843DEC Perl_sv_2pv_flags,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,LookupPrivilegeValueA,AdjustTokenPrivileges,AbortSystemShutdownA,AdjustTokenPrivileges,CloseHandle,Perl_newSViv,Perl_sv_2mortal,Perl_croak_nocontext,Perl_sv_2pv_flags,GetCurrentProcess,OpenProcessToken,Perl_sv_2pv_flags,Perl_sv_2iv_flags,Perl_sv_2iv_flags,Perl_sv_2iv_flags,InitiateSystemShutdownA,AdjustTokenPrivileges,CloseHandle,Perl_newSViv,Perl_sv_2mortal,LookupPrivilegeValueA,AdjustTokenPrivileges,Perl_croak_nocontext,Perl_sv_2pv_flags,IsValidSid,LookupAccountSidA,Perl_sv_2pv_flags,Perl_sv_setpv,Perl_sv_setpv,Perl_sv_setpv,Perl_sv_setiv,Perl_croak_nocontext,Perl_sv_2pv_flags,Perl_sv_2pv_flags,LookupAccountNameA,Perl_sv_setpv,Perl_sv_setpvn,Perl_sv_setiv,Perl_croak_nocontext,LoadLibraryA,GetProcAddress,Perl_stack_grow,Perl_newSViv,Perl_sv_2mortal,FreeLibrary,FreeLibrary,GetProcAddress,Perl_warn_nocontext,FreeLibrary,GetCurrentThread,GetCurrentProcess,Perl_safesysmalloc,Perl_safesysfree,CloseHandle,FreeLibrary,Perl_newSViv,Perl_sv_2mortal,Perl_warn_nocontext,Perl_warn_nocontext,Perl_safesysfree,CloseHandle,FreeLibrary,Perl_stack_grow,Perl_warn_nocontext,FreeLibrary,Perl_warn_nocontext,Perl_croak_nocontext,	15_2_70843DEC
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_708441EC InitiateSystemShutdownA,AdjustTokenPrivileges,CloseHandle,Perl_newSViv,Perl_sv_2mortal,	15_2_708441EC

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_004565A8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,

1_2_004565A8

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_00456DD4 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

1_2_00456DD4

Source: C:\Users\user\Desktop\geosetter_setup.exe

Code function: 0_2_0040A0D4 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_0040A0D4

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

File created: C:\Program Files (x86)\GeoSetter

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$8fc
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Mutant created: NULL
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$8fc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Mutant created: \Sessions\1\BaseNamedObjects\GeoSetterStartOnlyOnce

Source: C:\Users\user\Desktop\geosetter_setup.exe

File created: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp

Jump to behavior

Source: Yara match	File source: 7.0.GeoSetter.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\GeoSetter\tools\is-V94I6.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\GeoSetter\is-07QKO.tmp, type: DROPPED

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\geosetter_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: geosetter_setup.exe

String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t

Source: C:\Users\user\Desktop\geosetter_setup.exe

File read: C:\Users\user\Desktop\geosetter_setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\geosetter_setup.exe "C:\Users\user\Desktop\geosetter_setup.exe"
Source: C:\Users\user\Desktop\geosetter_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp "C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp" /SL5="$20442,24249229,57856,C:\Users\user\Desktop\geosetter_setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll"
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll"
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process created: C:\Program Files (x86)\GeoSetter\GeoSetter.exe "C:\Program Files (x86)\GeoSetter\GeoSetter.exe"
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -listx
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -listx
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -lang
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -lang
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -ver
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -ver
Source: C:\Users\user\Desktop\geosetter_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp "C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp" /SL5="$20442,24249229,57856,C:\Users\user\Desktop\geosetter_setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process created: C:\Program Files (x86)\GeoSetter\GeoSetter.exe "C:\Program Files (x86)\GeoSetter\GeoSetter.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll"	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -listx	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -lang	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -ver	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -listx	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -lang
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -ver

Source: C:\Users\user\Desktop\geosetter_setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\geosetter_setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: shunimpl.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: c_is2022.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: c_g18030.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: c_gsm7.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: c_iscii.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dcrawlib.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: libeay32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: ssleay32.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: perl524.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: perl524.dll
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: perl524.dll
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Section loaded: version.dll

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: GeoSetter.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\GeoSetter\GeoSetter.exe

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe

File written: C:\Users\user\AppData\Roaming\GeoSetter\config.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Automated click: I accept the agreement
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Automated click: OK

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.DisclaimerThis software is provided "as-is". No warranty of any kind is expressed or implied. You use at your own risk. The author will not be liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.FreewareThis program is freeware - that means you can download and copy it. You can even use it for commercial purposes however the sale of this software is prohibited.If you are an editor and wish to include GeoSetter on a magazine's CD or DVD please contact me.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.DisclaimerThis software is provided "as-is". No warranty of any kind is expressed or implied. You use at your own risk. The author will not be liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.FreewareThis program is freeware - that means you can download and copy it. You can even use it for commercial purposes however the sale of this software is prohibited.If you are an editor and wish to include GeoSetter on a magazine's CD or DVD please contact me.I &accept the agreementI &do not accept the agreement&Next >Cancel

Source: geosetter_setup.exe

Static file information: File size 24564453 > 1048576

Source: geosetter_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450994

Source: is-5LPT9.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0xbf086
Source: is-QSPTB.tmp.1.dr	Static PE information: real checksum: 0x1f64a3 should be: 0x8013a0
Source: is-V94I6.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x1dd75
Source: exiftool.exe.7.dr	Static PE information: real checksum: 0x1f64a3 should be: 0x8013a0
Source: is-KONM9.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x536fb
Source: geosetter_setup.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0xb33d1
Source: is-LEN5V.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x87192
Source: is-1BDNO.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0xbcd2a

Source: is-LEN5V.tmp.1.dr	Static PE information: section name: .stab
Source: is-LEN5V.tmp.1.dr	Static PE information: section name: .stabstr
Source: is-5LPT9.tmp.1.dr	Static PE information: section name: /4
Source: is-5LPT9.tmp.1.dr	Static PE information: section name: /16
Source: is-5LPT9.tmp.1.dr	Static PE information: section name: /30
Source: is-5LPT9.tmp.1.dr	Static PE information: section name: /42

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll"

Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_00406A18 push 00406A55h; ret	0_2_00406A4D
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_004093B4 push 004093E7h; ret	0_2_004093DF
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: 0_2_00408580 push ecx; mov dword ptr [esp], eax	0_2_00408585
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00409D9C push 00409DD9h; ret	1_2_00409DD1
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0041A078 push ecx; mov dword ptr [esp], ecx	1_2_0041A07D
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00452100 push ecx; mov dword ptr [esp], eax	1_2_00452105
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0040A273 push ds; ret	1_2_0040A29D
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0040A29F push ds; ret	1_2_0040A2A0
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00460518 push ecx; mov dword ptr [esp], ecx	1_2_0046051C
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00496594 push ecx; mov dword ptr [esp], ecx	1_2_00496599
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004587B4 push 004587ECh; ret	1_2_004587E4
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00410930 push ecx; mov dword ptr [esp], edx	1_2_00410935
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00486A94 push ecx; mov dword ptr [esp], ecx	1_2_00486A99
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00478D50 push ecx; mov dword ptr [esp], edx	1_2_00478D51
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00412D78 push 00412DDBh; ret	1_2_00412DD3
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0040D288 push ecx; mov dword ptr [esp], edx	1_2_0040D28A
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0040F7E8 push ecx; mov dword ptr [esp], edx	1_2_0040F7EA
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004438E0 push ecx; mov dword ptr [esp], ecx	1_2_004438E4
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00459ACC push 00459B10h; ret	1_2_00459B08
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0049BD44 pushad ; retf	1_2_0049BD53

Source: is-P21BL.tmp.1.dr

Static PE information: section name: .text entropy: 6.807704201137633

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-KONM9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\8b4e2b00.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\bc3918b8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\IO\IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Digest\MD5\MD5.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Digest\SHA\SHA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\ielib32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-07QKO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Time\Piece\Piece.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\mro\mro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-HJO89.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-OMIVA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Socket\Socket.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Cwd\Cwd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Compress\Raw\Bzip2\Bzip2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\e8ce9e63.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\perl524.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\tools\is-V94I6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\DelZip190.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\0b174c5f.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\9e2b3cdd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\e5acedbf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-5LPT9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\FindFile\FindFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\30e95417.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll (copy)	Jump to dropped file
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Time\HiRes\HiRes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\API\API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\54f7af00.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Math\BigInt\GMP\GMP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\a09139d7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\tools\exiftool.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\Win32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\File\Glob\Glob.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-1BDNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\tools\consoleStartHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-B0F3I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\6b9bcbc1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\MIME\Base64\Base64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\Console\Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\List\Util\Util.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\72279688.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\tools\is-QSPTB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32API\File\File.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-LEN5V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Math\BigInt\FastCalc\FastCalc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\dcrawlib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Fcntl\Fcntl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\re\re.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\GeoSetter.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\is-P21BL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Program Files (x86)\GeoSetter\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\7f720997.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\25bbf886.dll	Jump to dropped file
Source: C:\Users\user\Desktop\geosetter_setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Encode\Encode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\POSIX\POSIX.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	File created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Compress\Raw\Zlib\Zlib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BDALQ.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GeoSetter			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GeoSetter\GeoSetter.lnk			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00422CAC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422CAC
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0041811E IsIconic,SetWindowPos,	1_2_0041811E
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00418120 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00418120
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004245E4 IsIconic,SetActiveWindow,	1_2_004245E4
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0042462C IsIconic,SetActiveWindow,SetFocus,	1_2_0042462C
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004187D4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_004187D4
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00484D28 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00484D28
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0042F71C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F71C
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004179E8 IsIconic,GetCapture,	1_2_004179E8

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_0041F568 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F568

Source: C:\Users\user\Desktop\geosetter_setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: A5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: A9A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: AB20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: AB40000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BC20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BCE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BD80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BDE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BE00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BE60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BE80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BEA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Memory allocated: BEC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Window / User API: threadDelayed 1920			Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Window / User API: threadDelayed 7634			Jump to behavior

Source: C:\Users\user\Desktop\geosetter_setup.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-6073

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

API coverage: 0.1 %

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe TID: 5144

Thread sleep time: -76340s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Thread sleep count: Count: 1920 delay: -10			Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Thread sleep count: Count: 7634 delay: -10			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose,	1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004531A4 FindFirstFileA,GetLastError,	1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049998C
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC0AEB0 win32_opendir,strlen,Perl_safesyscalloc,strcpy,MultiByteToWideChar,Perl_get_context,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,strlen,Perl_safesysmalloc,strcpy,GetLastError,_errno,WideCharToMultiByte,_errno,_errno,Perl_safesysfree,_errno,_errno,	15_2_6DC0AEB0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC0BB70 win32_longpath,strcpy,FindFirstFileA,strcpy,FindClose,_errno,FindClose,_errno,	15_2_6DC0BB70
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_70845F80 PL_charclass,wcscpy,FindFirstFileW,wcslen,wcscpy,FindClose,_errno,FindClose,_errno,toupper,	15_2_70845F80
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_70845BA0 PL_charclass,_mbscpy,FindFirstFileA,_mbscpy,FindClose,toupper,_errno,FindClose,_errno,	15_2_70845BA0

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

15_2_6560A76C

Source: C:\Users\user\Desktop\geosetter_setup.exe

Code function: 0_2_0040A018 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_0040A018

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior

Source: geosetter_setup.tmp, 00000001.00000003.2458983625.000000000076D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: geosetter_setup.tmp, 00000001.00000003.2458983625.000000000076D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep			graph_9-1716
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep			graph_15-242634

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe

Code function: 15_2_62103C50 IsDebuggerPresent,Perl_croak_nocontext,

15_2_62103C50

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450994

Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Code function: 9_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	9_2_00401180
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Code function: 9_2_00404700 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	9_2_00404700
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	15_2_00401180
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_004064F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_004064F0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_62104560 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_62104560
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_62583410 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_62583410
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_62AC27C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_62AC27C0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_62D89200 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_62D89200
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_64FC2E30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_64FC2E30
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6560FC30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_6560FC30
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66A140E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_66A140E0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_66E02810 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_66E02810
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_674C3960 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_674C3960
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6A5466D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_6A5466D0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC1BB70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,EnterCriticalSection,TlsGetValue,GetLastError,TlsGetValue,GetLastError,LeaveCriticalSection,	15_2_6DC1BB70
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_707C48D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_707C48D0
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_70848340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	15_2_70848340

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_0047974C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_0047974C

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -listx	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -lang	Jump to behavior
Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe	Process created: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe "C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -ver	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -listx	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -lang
Source: C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	Process created: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe -ver

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_0042F254 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042F254

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_0042E4EC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E4EC

Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndS

Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: GetLocaleInfoA,	0_2_0040565C
Source: C:\Users\user\Desktop\geosetter_setup.exe	Code function: GetLocaleInfoA,	0_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: GetLocaleInfoA,	1_2_004089B8
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Code function: GetLocaleInfoA,	1_2_00408A04

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_00458DC4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458DC4

Source: C:\Users\user\Desktop\geosetter_setup.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp

Code function: 1_2_00455D38 GetUserNameA,

1_2_00455D38

Source: C:\Users\user\Desktop\geosetter_setup.exe

Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_00404654

Source: C:\Program Files (x86)\GeoSetter\GeoSetter.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC12260 win32_listen,_get_osfhandle,listen,WSAGetLastError,_errno,SetLastError,		15_2_6DC12260
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Code function: 15_2_6DC11EF0 win32_bind,_get_osfhandle,bind,WSAGetLastError,_errno,SetLastError,		15_2_6DC11EF0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Native API	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Obfuscated Files or Information	Security Account Manager	5 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	13 Process Injection	1 Software Packing	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Masquerading	Cached Domain Credentials	13 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	13 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Regsvr32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
geosetter_setup.exe	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\GeoSetter\DelZip190.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\GeoSetter.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll (copy)	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll (copy)	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\dcrawlib.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\ielib32.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-07QKO.tmp	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-1BDNO.tmp	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-5LPT9.tmp	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-B0F3I.tmp	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-HJO89.tmp	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-KONM9.tmp	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-LEN5V.tmp	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-OMIVA.tmp	4%	ReversingLabs
C:\Program Files (x86)\GeoSetter\is-P21BL.tmp	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\libeay32.dll (copy)	4%	ReversingLabs
C:\Program Files (x86)\GeoSetter\ssleay32.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\GeoSetter\tools\consoleStartHelper.exe (copy)	3%	ReversingLabs
C:\Program Files (x86)\GeoSetter\tools\exiftool.exe (copy)	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\tools\is-QSPTB.tmp	2%	ReversingLabs
C:\Program Files (x86)\GeoSetter\tools\is-V94I6.tmp	3%	ReversingLabs
C:\Program Files (x86)\GeoSetter\unins000.exe (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BDALQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\0b174c5f.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\25bbf886.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\30e95417.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\54f7af00.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\6b9bcbc1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\72279688.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\7f720997.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\8b4e2b00.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\9e2b3cdd.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\a09139d7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\bc3918b8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\e5acedbf.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\e8ce9e63.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Compress\Raw\Bzip2\Bzip2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Compress\Raw\Zlib\Zlib.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Cwd\Cwd.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Digest\MD5\MD5.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Digest\SHA\SHA.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Encode\Encode.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Fcntl\Fcntl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\File\Glob\Glob.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\IO\IO.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\List\Util\Util.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\MIME\Base64\Base64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Math\BigInt\FastCalc\FastCalc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Math\BigInt\GMP\GMP.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\POSIX\POSIX.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Socket\Socket.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Time\HiRes\HiRes.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Time\Piece\Piece.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32API\File\File.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\API\API.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\Console\Console.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\FindFile\FindFile.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\Win32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\mro\mro.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\re\re.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\script\exiftool	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\perl524.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe	2%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.indyproject.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
map.geosetter.de	185.30.32.197	true	true		unknown
owl.phy.queensu.ca	130.15.24.27	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://map.geosetter.de/v3/leaflet/leaflet.js	false		unknown
http://map.geosetter.de/v3/map_google.html	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.locr.com/api	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.hri.org/news/world/undh/last/00-08-16.undh.html	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.smh.com.au/news/9905/26/pageone/pageone4.html	GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2484059778.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.worldtimezone.com/brazil-time-new-old.php	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.worldtimezone.com/dst_news/dst_news_gazastrip05.html	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://media.enet.cu/radioreloj	GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.worldtimezone.com/dst_news/dst_news_bangladesh02.htP	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://abc.net.au/local/news/olympics/1999/07/item19990728112314_1.ht	GeoSetter.exe, 00000007.00000003.2484591039.000000000960C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://g1.globo.com/bahia/noticia/2011/10/governador-jaques-wagner-confirma-horario-de-verao-na-bahi	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://news.mail.ru/politics/6861560/	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.horaoficial.cl/cambio.h	GeoSetter.exe, 00000007.00000003.2487461434.00000000095F3000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://home.no.net/janmayen/history.htm	GeoSetter.exe, 00000007.00000003.2486000379.0000000009614000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.arabtimesonline.com/arabtimes/kuwait/Viewdet.asp?ID=9950	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.indyproject.org/	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
http://www.dawn.com/2003/03/07/top15.htm	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://pcdsh01.on.br/HV27998.htm	GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.lagaceta.com.ar/vernotae.asp?id_nota=253414	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20050810f2.htm	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.sumatera-inc.com/go_to_invest/about_indonesia.asp#standtim	GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.thedailystar.net/newDesign/latest_news.php?nid=2281	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.openstreetmap.org	GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.mme.gov.br/site/news/detail.do;jsessionid=BBA06811AFCAAC28F0285210913513DA?newsId=13975	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.geosetter.de4http://www.geosetter.de/en	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.hko.gov.hk/gts/time/Summertime.	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://api.geonames.org	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://pcdsh01.on.br/HISTHV.htm	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://w1.c1.rada.gov.ua/pls/zweb_n/webproc4_1?id=&pf3511=41484	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://media.enet.cu/radiorelot	GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.geonames.org/login	GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.worldtimezone.com/dst_news/dst_news_westbank01.htmX3K9#	GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.worldtimeserver.com/current_time_in_MN.aspx	GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://rega.basbakanlik.gov.tr/eskiler/2007/03/20070307-7.htm	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.locr.com	GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.locr.com/user/my_page/my_photos_edit.phpopen	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.nnc.cubaweb.cu/marzo-2008/cien-1-11-3-08.htm	GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.mongoliatourism.gov.mn/general.htm	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.delphizip.org	GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	geosetter_setup.exe, geosetter_setup.exe, 00000000.00000002.2462074891.0000000000401000.00000020.00000001.01000000.00000003.sdmp	false		unknown
http://www.pettswoodvillage.co.uk/Daylight_Savings_William_Willett.pdf	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486362486.0000000009648000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.thenews.com.pk/daily_detail.asp?id=171280	GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.geosetter.de/update/version_beta_release_date	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
https://www.geosetter.de/update/version_locr	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://inms-ienm.nrc-cnrc.gc.ca/images/time_services/TZ01SWE.j	GeoSetter.exe, 00000007.00000003.2486841143.0000000009614000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.ptb.de/de/org/4/44/441/salt.htm	GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.worldtimezone.com/dst_news/dst_news_westbank01.htmX3	GeoSetter.exe, 00000007.00000003.2483666998.000000000960C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.mme.gov.br/firs	GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.gobernac.mendoza.gov.ar/boletin/pdf/20040924-27244-normas.pdf	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.geosetter.de/update/version_release_date	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.zoomin.de/registrieren	GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.sumatera-inc.com/go_to_invest/about_indonesia.asp#standtime	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.winstonchurchill.org/fh114willett.htm	GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://pcdsh01.on.br/DecHV.h$#	GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://uk.reuters.com/article/oilRpt/idUKBLA65048420070916	GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483542296.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483607874.0000000009604000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.guardian.co.uk/world/feedarticle/7759001	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.hri.org/news/world/undh/last/00-08-16.undh.htmD	GeoSetter.exe, 00000007.00000003.2483444097.00000000095C8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.geosetter.deDhttp://www.geosetter.de/changes-de4http://www.geosetter.de/enJhttp://www.geo	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.worldtimezone.com/dst_news/dst_news_bangladesh06.html	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.hurriyet.com.tr/ekonomi/17230464.asp?gid=373	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://map.geosetter.de/v3/map_google.htmlSV	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.jpost.com/MiddleEast/Article.aspx?id=235650	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.google.com/kml/ext/2.2	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.worldtimezone.com/dst_news/dst_news_gazastrip01.html	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.worldtimeserver.com/current_time_in_MN.aspL	GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.horaoficial.cl/cambio.htm	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.locr.com/photo/album/albums.php?album_id=%s	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://pcdsh01.on.br/HV1674.htm	GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.cddhcu.gob.mx/bibliot/publica/inveyana/polisoc/horver/(	GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.segodnya.ua/news/14290482.html	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://news.tut.by/society/250578.html	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.prensalatina.com.mx/article.asp?ID=%7B4CC32C1B-A9F7-42FB-8A07-8631AFC923AF%7D&language=D)	GeoSetter.exe, 00000007.00000003.2486925654.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.presidencia.gub.uy/decretos/2004091502.htm	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://ar.clarin.com/diario/2001-06-12/s-03501.htm	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.mcil.gov.ws/mcil_publications.h	GeoSetter.exe, 00000007.00000003.2484745468.0000000009620000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.geosetter.de/proxytest.datU	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://jornale.com.br/index.php?option=com_content&task=view&id=13530&Itemid=5t%	GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://bdnews24.com/details.php?id=85889&cid=H#	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.nineoclock.ro/POL/1778pol.html	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://tile.stamen.com/terrain-background	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://www.astro.uni.torun.pl/~kb/Artykuly/U-PA/Czas2.htm#tth_tAb1	GeoSetter.exe, 00000007.00000003.2485048789.0000000009610000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.pak.gov.pk/public/news/app/app06_dec.htm	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483058159.0000000009610000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://almanakka.helsinki.fi/aikakirja/Aikakirja2007kokonaan.pdf	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486117127.00000000095CE000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://student.cusu.cam.ac.uk/~jsm28/british-timeT	GeoSetter.exe, 00000007.00000003.2485959928.0000000009620000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.pak.gov.pk/public/news/app/app06_dec.htp	GeoSetter.exe, 00000007.00000003.2483691540.0000000009614000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.thedailystar.net/newDesign/news-details.php?nid=119P	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.thedailystar.net/newDesign/news-details.php?nid=107P	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.shoa.cl/noticias/2008/04hora/hora.htm	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://pcdsh01.on.br/HV1636.htm	GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://story.philippinetimes.com/p.x/ct/9/id/145be20cc6b121c0/cid/3e5bbccc730d258c/	GeoSetter.exe, 00000007.00000003.2483199614.00000000095E8000.00000004.00001000.00020000.00000000.sdmp, GeoSetter.exe, 00000007.00000003.2483123371.000000000961C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.mytopo.com	GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.geosetter.de/geosetter_beta.exeU	GeoSetter.exe, 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false		unknown
http://petra.gov.jo/Artical.aspx?Lng=2&Section=8&Artical=95279	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.sana.sy/ara/2/2009/09/29/247012.htm	GeoSetter.exe, 00000007.00000003.2483444097.00000000095D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.lapalmainteractivo.com/guias/content/gen/ap/America_Latina/AMC_GEN_NICARAGUA_HORA.h	GeoSetter.exe, 00000007.00000003.2487377772.00000000095EC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.presidencia.gub.uy/_Web/decretos/2005/09/CM%20119_09%2009%202005_00001.PDF	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.locr.com/user_create.php	GeoSetter.exe, 00000007.00000000.2455770204.0000000000D10000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://student.cusu.cam.ac.uk/~jsm28/british-time/	GeoSetter.exe, 00000007.00000003.2485467240.0000000009628000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.gobernac.mendoza.gov.ar/boletin/pdf/20040521-27158-normas.pdf	GeoSetter.exe, 00000007.00000003.2486990828.0000000009630000.00000004.00001000.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.30.32.197	map.geosetter.de	Germany		48324	DE-WEBGOwwwwebgodeDE	true
130.15.24.27	owl.phy.queensu.ca	Canada		31983	QUEENSU-KINGSTONCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546439
Start date and time:	2024-10-31 22:21:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	geosetter_setup.exe
Detection:	SUS
Classification:	sus24.evad.winEXE@26/1166@2/2
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 92% Number of executed functions: 203 Number of non-executed functions: 254
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target exiftool.exe, PID 2140 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: geosetter_setup.exe

Simulations

Behavior and APIs

Time	Type	Description
17:23:28	API Interceptor	11352648x Sleep call for process: GeoSetter.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
QUEENSU-KINGSTONCA	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	130.15.151.129
	arm5-20240706-0316.elf	Get hash	malicious	Mirai	Browse	130.15.5.203
	HOdRDgUXqH.elf	Get hash	malicious	Mirai	Browse	130.15.5.203
	syms.arm.elf	Get hash	malicious	Mirai	Browse	130.15.5.205
	1JRhF9Wecw.elf	Get hash	malicious	Mirai, Moobot	Browse	130.15.133.115
	Q0ckwyWEJ4	Get hash	malicious	Mirai	Browse	130.15.133.115
	Y8spWI11i7.dll	Get hash	malicious	Wannacry	Browse	130.15.222.111
	djWXcpcbUl	Get hash	malicious	Mirai	Browse	130.15.63.220
	sora.x86	Get hash	malicious	Mirai	Browse	130.15.5.216
	LxZtt8te4n	Get hash	malicious	Mirai	Browse	130.15.16.121
DE-WEBGOwwwwebgodeDE	mfyPnr7Rxa.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	185.30.32.74
	27i42a6Qag.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	185.30.32.136
	WpPPx8yVOV.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.30.32.206
	iMapU.xlsm	Get hash	malicious	Unknown	Browse	185.30.32.84
	SecuriteInfo.com.Variant.Jaik.72878.26519.exe	Get hash	malicious	FormBook	Browse	185.30.35.35
	ANTIMETHODIC.exe	Get hash	malicious	FormBook GuLoader	Browse	185.30.34.153
	doc04932620220119130914.exe	Get hash	malicious	FormBook	Browse	185.30.32.154
	S3JoEcfrv6.exe	Get hash	malicious	FormBook	Browse	185.30.35.34
	quotation New Order I5117.exe	Get hash	malicious	FormBook	Browse	185.30.32.154
	Txbu8gCsuV.exe	Get hash	malicious	Dridex	Browse	185.30.32.33

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
b22b3950835f7eba2f3be0917e4f949e	Estimado_1546359641.155196.msi	Get hash	malicious	VMdetect	Browse	130.15.24.27
	PyCZ044s6O.exe	Get hash	malicious	Unknown	Browse	130.15.24.27
	83Beigy1jC.msi	Get hash	malicious	Unknown	Browse	130.15.24.27
	ContratoAprovado+002336.msi	Get hash	malicious	Unknown	Browse	130.15.24.27
	bs3sO7r4K4.msi	Get hash	malicious	Unknown	Browse	130.15.24.27
	iUyzvEVVxL.msi	Get hash	malicious	Unknown	Browse	130.15.24.27
	yQA3ACsxlm.msi	Get hash	malicious	Unknown	Browse	130.15.24.27

Process:	C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.185961311364828
Encrypted:	false
SSDEEP:	6144:yE2eKJePDxNrdidrV/6dn/rvDvjsyOAKSM2sT6Agjbh:nxKMbhyrV/6dn/zsyOAM6A
MD5:	1FA0B840106D39602894E5C5FFE49951
SHA1:	1B727C746E4C40DCF20D029938480156935C8CB0
SHA-256:	27DDF78ECEB8DB8449A6210E19CAFD5A785B494DF997990093E5AA56409078E6
SHA-512:	06F6D2E7937F8EC50232900A35509D26AA7011A152ACA1ED9D1691F0E2CEE999CECA289635B5F655F6CB995A357ADD76C345F38C88E5DE896A8273D69D7A0DC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L.....}L...........#.....P...p...............`....@..........................@..................................................~...............................,$...................................................................................text....P.......B.................. ..`.data....p...`.......H..............@....tls.................N..............@....idata...............P..............@..@.edata...............\..............@..@.rsrc................^..............@..@

Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-KONM9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\8b4e2b00.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\bc3918b8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\IO\IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Digest\MD5\MD5.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Digest\SHA\SHA.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\ielib32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Time\Piece\Piece.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\mro\mro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-HJO89.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-OMIVA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Socket\Socket.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Cwd\Cwd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Compress\Raw\Bzip2\Bzip2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\e8ce9e63.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\DelZip190.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\tools\is-V94I6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\0b174c5f.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\9e2b3cdd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\e5acedbf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-5LPT9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\30e95417.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\FindFile\FindFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Time\HiRes\HiRes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\API\API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\54f7af00.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Math\BigInt\GMP\GMP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\a09139d7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\Win32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\File\Glob\Glob.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-1BDNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\tools\consoleStartHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-B0F3I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\6b9bcbc1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\MIME\Base64\Base64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32\Console\Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\List\Util\Util.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\72279688.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Win32API\File\File.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-LEN5V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Math\BigInt\FastCalc\FastCalc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Fcntl\Fcntl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\re\re.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\GeoSetter\is-P21BL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\7f720997.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\25bbf886.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Encode\Encode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\POSIX\POSIX.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\exiftool.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\par-616c666f6e73\cache-exiftool-10.96\inc\lib\auto\Compress\Raw\Zlib\Zlib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OLKP3.tmp\geosetter_setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BDALQ.tmp\_isetup\_setup64.tmp	Jump to dropped file

Process:	C:\Users\user\Desktop\geosetter_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	713728
Entropy (8bit):	6.516598351135674
Encrypted:	false
SSDEEP:	12288:usMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0syxyR:JMcMoi3rPR37dzHRA6G7WbuSEmK50syQ
MD5:	832DAB307E54AA08F4B6CDD9B9720361
SHA1:	EBD007FB7482040ECF34339E4BF917209C1018DF
SHA-256:	CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3
SHA-512:	358D43522FD460EB1511708E4DF22EA454A95E5BC3C4841931027B5FA3FB1DDA05D496D8AD0A8B9279B99E6BE74220FE243DB8F08EF49845E9FB35C350EF4B49
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&...........................................................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc...............................@..P.....................r..............@..P........................................................................................................................................

Entrypoint:	0x40aa98
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	2fb819a19fe4dee5c03e8c6a79342f79

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x97c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xa1d0	0xa200	b7ea439d9c6d5ec722056c9243fb3054	False	0.6025028935185185	data	6.643749028594943	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xc000	0x250	0x400	9b2268ed5360951559d8041925d025fb	False	0.3037109375	data	2.740124513017086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xd000	0xe94	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe000	0x97c	0xa00	df5f31e62e05c787fd29eed7071bf556	False	0.41796875	data	4.486076246232586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x10000	0x18	0x200	14dfa4128117e7f94fe2f8d7dea374a0	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x91c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x2c00	0x2c00	4715e0a1c5700e9b8f2f00ea3fe6c560	False	0.3328302556818182	data	4.584657973977152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1247c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x129e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x12ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x13574	0x2f2	data			0.35543766578249336
RT_STRING	0x13868	0x30c	data			0.3871794871794872
RT_STRING	0x13b74	0x2ce	data			0.42618384401114207
RT_STRING	0x13e44	0x68	data			0.75
RT_STRING	0x13eac	0xb4	data			0.6277777777777778
RT_STRING	0x13f60	0xae	data			0.5344827586206896
RT_RCDATA	0x14010	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x1403c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1407c	0x4f4	data	English	United States	0.2689274447949527
RT_MANIFEST	0x14570	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 22:22:55.433685064 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:55.438699961 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:55.438776016 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:55.440166950 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:55.445080042 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.279966116 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.279989958 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.280010939 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.280023098 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.280045033 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.280071974 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.280108929 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.280255079 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.280714989 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.280759096 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.280791044 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.280834913 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.281023026 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.281064034 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.281302929 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.281352043 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.281946898 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.282135963 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:56.407521009 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:56.407588959 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.209213972 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.210150957 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.214150906 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.215025902 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.215096951 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.215462923 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.220664978 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.459532976 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.459660053 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.459780931 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.459817886 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.459835052 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.459918022 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.460004091 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.460035086 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.460071087 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.460088015 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.460089922 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.460161924 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.460607052 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.460635900 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.460659027 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.460681915 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.460974932 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.461020947 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.461365938 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.461874008 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.461949110 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.462055922 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.462428093 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.587291956 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.587363005 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.587737083 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.593467951 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.837655067 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.837696075 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.837713003 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.837730885 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.837734938 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.837776899 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.838278055 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.838319063 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.838385105 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.838413000 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.838488102 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.838887930 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.838936090 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.839019060 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.839068890 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.839267969 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.839286089 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.839315891 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.839325905 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.839790106 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.839803934 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.839842081 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.839858055 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.840267897 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.840320110 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.840323925 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.840414047 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.840663910 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.840730906 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.841059923 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.841111898 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.841396093 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.841449976 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.841855049 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.841908932 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.842540026 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.842601061 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.842823982 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.842869997 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.844167948 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.844209909 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.844271898 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.844341993 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.844355106 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.844407082 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.952749014 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.952828884 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.965451002 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965517044 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965554953 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965557098 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.965594053 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.965617895 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965667009 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965706110 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.965708017 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965862036 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965889931 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.965930939 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.965961933 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.965991020 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966021061 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966048002 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966294050 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966309071 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966324091 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966346979 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966373920 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966408968 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966418028 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966444016 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966516018 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966543913 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966561079 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966573000 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966583014 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966622114 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966768026 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966834068 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966931105 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966937065 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966953039 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966970921 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.966979980 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.966989994 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.967000008 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.967035055 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.967035055 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.967288971 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:57.967390060 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.968592882 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:57.973809004 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.047349930 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.047368050 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.047420025 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:58.047456980 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:58.047635078 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.047667027 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.047693968 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:58.047734976 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:58.047866106 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.047883034 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.047944069 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:22:58.218626976 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:22:58.218775034 CET	49849	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:23:44.232709885 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:44.232741117 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:44.232798100 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:46.303503036 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:46.303524017 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:47.235691071 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:47.235814095 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:47.239666939 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:47.239675045 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:47.239902020 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:47.240334034 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:47.283341885 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:47.409986019 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:47.410036087 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:23:47.410258055 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:47.416255951 CET	49980	443	192.168.2.5	130.15.24.27
Oct 31, 2024 22:23:47.416271925 CET	443	49980	130.15.24.27	192.168.2.5
Oct 31, 2024 22:24:03.174741030 CET	80	49855	185.30.32.197	192.168.2.5
Oct 31, 2024 22:24:03.174884081 CET	49855	80	192.168.2.5	185.30.32.197
Oct 31, 2024 22:24:03.347544909 CET	80	49849	185.30.32.197	192.168.2.5
Oct 31, 2024 22:24:03.347641945 CET	49849	80	192.168.2.5	185.30.32.197

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 22:22:55.404400110 CET	53813	53	192.168.2.5	1.1.1.1
Oct 31, 2024 22:22:55.429100990 CET	53	53813	1.1.1.1	192.168.2.5
Oct 31, 2024 22:23:44.183433056 CET	49642	53	192.168.2.5	1.1.1.1
Oct 31, 2024 22:23:44.232108116 CET	53	49642	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 22:22:55.440166950 CET	238	OUT	GET /v3/map_google.html HTTP/1.1 Accept: / Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Oct 31, 2024 22:22:56.279966116 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 21:22:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Last-Modified: Sun, 27 Nov 2022 22:51:17 GMT ETag: W/"9e27-5ee7b97be6ce7" Content-Encoding: gzip Data Raw: 35 38 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 57 dd 72 da 38 14 be 4e 9e 42 f5 4d d3 06 30 49 da 6e 42 43 67 08 90 86 59 08 4c 71 4a bb db 9d 8e 6a 0b 5b c5 96 bc 92 1c 20 9d be d9 de ed 8b ed 91 fc 83 21 4e 76 b6 7b b1 7b 83 a5 f3 fb 7d e7 1c 4b e6 fc 49 6f dc 75 3e 4e fa 28 50 51 88 26 37 17 c3 41 17 59 75 db 9e 9d 74 6d bb e7 f4 d0 87 2b 67 34 44 47 8d 26 9a 2a 41 5d 65 db fd 6b 0b 59 81 52 b1 6c d9 f6 72 b9 6c 2c 4f 1a 5c f8 b6 f3 ce 5e e9 30 47 da 2f 5b d6 a5 71 6a 78 ca b3 de ec 9f 9b 2c ab 28 64 b2 5d 15 e1 e8 ec ec 2c 75 34 c6 04 7b 6f f6 f7 ce 23 a2 30 d2 d6 75 f2 7b 42 6f db 96 cb 99 22 4c d5 d5 3a 26 16 ca 76 6d 4b 91 95 b2 b5 f3 6b e4 06 58 48 a2 da 89 9a d7 4f 2d 64 57 86 21 ab 98 0a 22 4b 11 5e 35 5f 9c 36 9b 56 a5 f5 87 fa 4d a7 de e5 51 8c 15 fd 12 96 f3 0e fa 6d e2 f9 c4 b8 85 94 2d 90 20 61 db 92 6a 1d 12 19 10 a2 2c 14 08 32 6f 5b 0d 3b 24 78 1e 12 95 3f 1b ae 84 ec 14 c2 f8 82 aa 35 f8 04 f8 f8 e5 ab fa 62 88 9d e3 b7 e3 69 7c 45 dc 20 90 fc ee ee e2 70 1e b2 de e1 dd cd fa 6b [TRUNCATED] Data Ascii: 580Wr8NBM0InBCgYLqJj[ !Nv{{}KIou>N(PQ&7AYutm+g4DG&A]ekYRlrl,O\^0G/[qjx,(d],u4{o#0u{Bo"L:&vmKkXHO-dW!"K^5_6VMQm- aj,2o[;$x?5bi\|E pkxgb=Wp)>em+c^G# H&5OP(QCS)tBb?YdCz//g'Y9JNtXb"6bI$>vE{"$lG3P?PJ_^s4r2{8$BX=J$A[@Xbw%%.O@0 O`h4>OM+qD!CBA#bA3'W1ac/37b'q'4ikn<K@80,p`EV)aajUFmL[%"EdOsVFK{]0J'GYz!P4f.bc~N0%uskH)eIZep;,(T,VS&8Fh\8Z%bfVAhImH"R1oZ(#hJp?osfCr'dIi4~J~(O5t
Oct 31, 2024 22:22:56.279989958 CET	1236	IN	Data Raw: 0f 8f a9 12 c9 d6 84 6e 90 55 cd e9 71 b3 79 f2 4f a7 b4 28 44 47 4a ea 33 e2 fd ab 6a e0 2c c8 ff a9 24 2f 1e 2f 89 99 9d 72 5d b2 a3 b1 33 e8 d5 50 27 dd c0 a2 8b 63 ad 85 95 13 24 d1 17 06 c7 ef 25 d5 e7 60 a7 07 55 34 a9 3b 97 dc c5 e1 90 30 Data Ascii: nUqyO(DGJ3j,$//r]3P'c$%`U4;0_N7L_\_\|Yu!kqh-nW7 ._oFZ"FV})g^8_G`wxYO=\2;;BAU9k3/-\|()2
Oct 31, 2024 22:22:56.280010939 CET	705	IN	Data Raw: 94 19 d9 87 06 30 bb 77 c7 ec 4f 91 0e 55 43 48 53 5c d9 a0 93 f8 6b b7 fc e6 dd 58 5e f4 9f 4d e6 87 e1 6a 0f 39 1a 77 fa d2 7c 7c 02 3b 3d e2 fa e2 e2 01 dc 99 a3 fa e6 e5 a2 c6 64 8b 7e 21 cc b1 72 41 5a 67 6d 60 dd c2 9c da 0f d4 2a d6 ab 3b Data Ascii: 0wOUCHS\kX^Mj9w\|\|;=d~!rAZgm`;c(cNN0kMrJfMG%gIdd2j193eHfV_eVAW5roH>m'rE893^KZT{h(k$}8;>N>a]hNER
Oct 31, 2024 22:22:56.280108929 CET	853	IN	Data Raw: 33 34 65 0d 0a cc 1b cb 6e db 30 ec bc bf d0 7c 28 62 a0 69 b2 63 1a 2f 40 b6 1d 3a 60 dd 0e 1b 7a 2a 30 a8 89 d3 1a f3 0b 96 dd 3d d0 fd fb 44 3d 2c 5a 96 fc e8 30 60 87 00 8e 4c 91 94 f8 10 49 53 2e bb 6e f1 68 80 76 a0 9b bb 28 5e 66 27 2e 55 Data Ascii: 34en0\|(bic/@:`z*0=D=,Z0`LIS.nhv(^f'.UaGNn,3+W<Q73I\:l{`!SR)lpXzgU1yOmo{ec,~YtW2^[O_@\TIe8]oEoZohv%a<B+
Oct 31, 2024 22:22:56.280714989 CET	594	IN	Data Raw: 32 34 62 0d 0a b4 5c 4b 4f c3 30 0c 3e b7 bf 62 9c 06 17 d8 ca 91 1b d2 c4 ef 00 89 03 07 86 c4 06 e2 e7 93 c6 8f 38 8d ed 24 1d 4c 9a 36 a5 49 9c 87 9d 2f 7e 95 29 72 aa 94 35 cb b0 f9 2d 74 42 35 65 11 43 a9 bf 86 19 53 35 90 a1 fa 9b b9 81 35 Data Ascii: 24b\KO0>b8$L6I/~)r5-tB5eCS55,%+?-Ik4"Fxs<2;e:8(AhO>q+0r!.(Q!l>Me.dFk9IJzu>H)]@Md5u-d`Vd?(TYO
Oct 31, 2024 22:22:56.280791044 CET	728	IN	Data Raw: 32 64 31 0d 0a c4 1c cb 4a 03 31 f0 ec 5f ac ed a1 2d 94 a5 bb 45 10 f4 52 90 82 17 7f a0 f4 50 75 f1 52 7c d0 8a 5e fa ef 26 99 64 32 93 99 ec 6e 1f a0 88 ac 79 6d 32 ef c9 cc ce b1 96 4e 7f a5 00 ea 80 9d 2a 09 4a 33 a8 df 73 4d 96 d3 10 46 20 Data Ascii: 2d1J1_-ERPuR\|^&d2nym2NJ3sMF @YrEK+N@FY.G$dV,zZPd8+5+78so 9,znqS9aN/-R[(=Fh$Vc}z=5?l )I:D0.Q['fc
Oct 31, 2024 22:22:56.281023026 CET	720	IN	Data Raw: 32 63 39 0d 0a d4 5d 4d 6f c2 30 0c 3d 6f bf 02 71 81 03 82 69 e7 6d 12 6c c7 21 4d 1a 3b ed 84 20 62 54 e3 43 b4 eb e0 df 2f b1 d3 c4 69 ec b6 74 e3 b0 d3 50 49 d2 60 3b ee b3 6b bf f9 22 34 d1 78 1b ee a8 34 ab 76 5b e5 13 1b ef 0d 44 6b 74 6b Data Ascii: 2c9]Mo0=oqiml!M; bTC/itPI`;k"4x4v[Dktk+iUk+61@07Z'i"]pgWw(^D)L<7zJF\{\U,k?C/tyTSM{0) 6&6u1d`n,'@Q+
Oct 31, 2024 22:22:56.281302929 CET	809	IN	Data Raw: 33 32 32 0d 0a bc 5d 4d 6f db 30 0c 3d af bf c2 c8 61 71 d1 2e 89 9c a4 40 d3 0f 60 87 dd 86 15 58 0e 3b 0c 43 e1 62 de 66 c0 8b 0b c7 e9 b6 16 f9 ef 13 25 4a b2 24 5a 76 bc 76 87 f6 10 c9 d4 b3 44 d3 a2 4c 3e 7a e6 63 80 01 e9 65 42 82 46 a4 8f Data Ascii: 322]Mo0=aq.@`X;Cbf%J$ZvvDL>zceBFaHv ~YVf3ns"TCVt]0F)g5aoy-w?!]o{42B%ivQM(E{A*A(DS:dp(VGgHQ1ZiiQ]sPEv
Oct 31, 2024 22:22:56.281946898 CET	694	IN	Data Raw: 32 61 66 0d 0a cc 5d 3b 6f c2 30 10 9e e1 57 04 75 a0 4b 23 ca 82 44 45 97 76 2a 12 a9 5a a9 1d 2a 54 21 6a 09 c4 2b 4a 02 ed c0 8f af 7d b1 93 73 7c 76 0c 44 55 17 c2 e3 b0 cf e7 4f 3e fb 7c 0f 83 cb 5b 9a 4b ae 99 b9 e6 58 7e 7d ce 17 fc 0c c5 Data Ascii: 2af];o0WuK#DEvZT!j+J}s\|vDUO>\|[KX~}E.y7YY0mlqa^{ffi,`Hw*ho/.U<.".[MWyv#xWU~tvor:F%{m!z}42
Oct 31, 2024 22:22:56.407521009 CET	688	IN	Data Raw: 32 39 35 0d 0a c4 5d cd 52 83 30 10 3e b7 4f 11 73 d2 71 5a 6a 3d e8 50 e0 e4 d1 77 70 b0 85 96 19 04 a6 d0 4e f5 e9 cd e6 8f 10 42 da 80 33 de aa ed b7 bb 21 c9 e6 67 3f 76 0d 71 52 c3 cc ff f7 39 1f 2a c4 09 a2 ec b6 69 0e 0f f8 41 af 03 61 77 Data Ascii: 295]R0>OsqZj=PwpNB3!g?vqR9iAaw[Ipu-IS-0kzFKWSv)F;"!$W;{4va6*t#t6Xtk0&?#]^y62G`"!3lV4%.e-
Oct 31, 2024 22:22:57.209213972 CET	284	OUT	GET /v3/json3.js HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Oct 31, 2024 22:22:57.459532976 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 21:22:57 GMT Content-Type: application/x-javascript Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Last-Modified: Thu, 03 Oct 2019 06:29:40 GMT ETag: W/"9c82-593fbb5de0ea5" Content-Encoding: gzip Data Raw: 36 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 84 57 db 72 db 36 10 7d cf 57 6c d4 99 58 f2 50 b4 2e 75 9c c4 75 a7 ad e3 4c 93 34 49 a7 72 1f 32 51 66 08 92 2b 09 36 09 b0 00 68 59 4d fc ef 5d 00 bc e9 92 c6 0f 1e 91 00 0e ce 1e ec 9e 05 4f 8e 1f c3 9b d9 87 f7 70 37 0d 27 e1 53 f8 0a 2b 63 8a 17 27 27 31 6a c3 f1 46 87 4b 6e 56 65 1c 72 79 72 a3 a5 98 d2 8c 4b 59 6c 14 5f ae 0c 4c 46 e3 c9 90 fe 4d 03 78 cb 0d 5c b2 3c 56 3c 5d 62 0b 73 cb 4d 98 73 33 cc 78 82 42 63 28 d5 12 8e 4f 1e 9d f7 17 a5 48 0c 97 02 fa 6b 2e 52 b9 1e c0 97 47 00 27 27 84 2e ee 50 70 14 09 02 cb 38 d3 a8 43 1a b9 63 0a 96 68 2e 33 a6 35 5c c0 97 87 d0 c8 99 51 5c 2c 03 e0 fa 4f 25 0b 54 66 13 c0 42 aa 2b 96 ac 02 28 45 8a 8b f3 47 1e f4 25 1a 4c 0c 98 15 42 44 af b9 c0 08 1a 06 78 5f 48 8d 29 c4 1b 60 7a 23 92 95 92 42 96 1a 72 99 96 19 42 26 59 8a 4a 87 70 bd 42 8f a6 69 5f 42 6b 90 92 15 26 b7 c4 02 04 26 a8 35 53 1b 4b 03 12 99 17 cc f0 98 67 dc 6c 60 4d 3a 42 a4 c2 1b 1d d5 f1 70 fd 87 c3 a6 78 cc a6 40 b9 00 8f 08 17 17 [TRUNCATED] Data Ascii: 66aWr6}WlXP.uuL4Ir2Qf+6hYM]Op7'S+c''1jFKnVeryrKYl_LFMx\<V<]bsMs3xBc(OHk.RG''.Pp8Cch.35\Q\,O%TfB+(EG%LBDx_H)`z#BrB&YJpBi_Bk&&5SKgl`M:Bpx@j dyx^d0.i=m Bp]<CerS.Xns) "#18luq;2kZw}F9W% 7p.JH\MLLijy6tw2:6l}}v^9v]1Xi=K/qZR;j.3"Ks1TW(_?P1}}yAf%SBT6s7Hep??M?M''l^YIaVqjBSl',2tN(RZr/`<O^-C?0ON'6f:nprcvLq&(}Iyq$-J$S?-Z\H2^x7}m%iJM1AA.Z(vt2}X2KFN0AX-wY5%3=;8g<LS5lWi
Oct 31, 2024 22:22:57.459780931 CET	699	IN	Data Raw: c2 4c b2 82 3e de 27 58 58 97 20 ff a9 53 ff 75 25 f3 0b e7 da 2a b7 b5 09 eb 15 c9 43 e6 df 75 a1 6d 87 d8 b5 a2 03 46 c4 14 82 2e 30 19 da 66 43 dd 52 98 03 75 f4 16 05 cc c4 86 2a dd 0a d8 f4 bd 15 d3 7d 6b ed b5 51 5a 1f a5 77 9f ec bb cf f0 Data Ascii: L>'XX Su%CumF.0fCRu}kQZwbs=v#K{,#y-m_Uys<+d7ru&+2x~"!%[;`Xblfy['i^b?#_T6Bqq6P{idoEhoS;
Oct 31, 2024 22:22:57.587737083 CET	327	OUT	GET /v3/leaflet/leaflet.js HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Origin: http://map.geosetter.de Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Oct 31, 2024 22:22:57.837655067 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 21:22:57 GMT Content-Type: application/x-javascript Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Last-Modified: Sun, 27 Nov 2022 02:20:23 GMT ETag: W/"23d1b-5ee6a65b7019a" Content-Encoding: gzip Data Raw: 37 30 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 57 7b 53 23 37 12 ff 3f 9f 42 4c 71 2e 09 8b b1 cd 5d 6d d5 0d 3b e5 f3 41 f6 95 2c 64 49 d8 4d ca eb 73 89 99 b6 2d 76 2c 79 25 0d 86 80 bf fb b5 e6 6d c2 55 1d 65 3c 9a 56 77 ab d5 8f 5f b7 07 47 e4 5f 1b 03 16 cc 1d fc 40 8e c8 cf 20 16 19 38 32 0a ff 19 fe 9d 13 41 3e fc 4a 32 79 63 84 79 20 0b 6d 88 54 0e 8c 48 9c bc 03 b2 16 1b 1b 92 95 73 1b 1b 0d 06 59 29 79 6b c3 44 af bd 2a 9a 30 72 32 1c 0d 8f 4f 86 27 27 e4 73 26 52 b9 96 86 4c 96 62 a1 d5 37 a9 78 97 63 34 22 67 99 ce d3 8f 22 f5 76 0c 7e 38 58 e4 0a 8f d1 8a 3a 0e ec 31 d0 37 b7 90 b8 20 8e dd c3 06 f4 82 c0 fd 46 1b 67 7b bd 20 57 29 2c a4 82 34 38 a8 37 d7 3a cd 33 18 03 ad b8 58 14 d4 ea 5a 0d a5 54 af 57 3e 43 b1 4e c7 e5 92 4e 83 4a 2e 98 e1 d9 11 50 ea e2 97 8e 59 66 fa 46 64 bf ad a4 1d b7 cb c8 3d 3d 59 c8 16 2c ac 3c 12 3f ee d8 8e 3a dc e2 ed 9d f0 46 b9 05 62 9d 91 78 ab d3 7a 83 64 7e 0b 1d 4d ef 84 21 c0 25 57 f1 88 eb 58 98 65 be 06 e5 2c 2a 55 4b b7 3a 55 af f5 a9 ea f7 99 [TRUNCATED] Data Ascii: 70eW{S#7?BLq.]m;A,dIMs-v,y%mUe<Vw_G_@ 82A>J2ycy mTHsY)ykD0r2O''s&RLb7xc4"g"v~8X:17 Fg{ W),487:3XZTW>CNNJ.PYfFd==Y,<?:Fbxzd~M!%WXe,UK:Ug-T,ujFab@8xzZTq^wW%w(U{S'V<L Pl6J0YF/UzSgO%Poxa{U`^o.1.~=R[.K(;CQS/fq9D>o-tP`lWF30qz=9v1_Z,@=@QU[:;-S2,^Ehog4VuGZo:YB,\|P&<:_:^Wh7tt[R]WTI+a/7`CZzURj\|RY@5e[FkLSo6:MnWTSz01Z{&,qy`xtLrAqA/[->Nnxgnl;AvX3x(J.h#B?.4YCs'SHHq]A"WV%m\|i{
Oct 31, 2024 22:22:57.968592882 CET	293	OUT	GET /v3/img/crosshair.gif HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Oct 31, 2024 22:22:58.218626976 CET	307	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 21:22:58 GMT Content-Type: image/gif Content-Length: 73 Connection: keep-alive Last-Modified: Thu, 03 Oct 2019 06:29:41 GMT ETag: "49-593fbb5e67ae3" Accept-Ranges: bytes Data Raw: 47 49 46 38 39 61 10 00 10 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 10 00 10 00 00 02 20 8c 1f 00 c8 ac 0d d3 8a 6e d2 f3 2e b6 3a 57 05 86 e2 48 82 90 d7 71 17 ba aa 14 fb ba 11 1c 14 00 3b Data Ascii: GIF89a!, n.:WHq;

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 22:22:57.215462923 CET	295	OUT	GET /v3/leaflet/leaflet.css HTTP/1.1 Accept: / Referer: http://map.geosetter.de/v3/map_google.html Accept-Language: en-CH User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0) Accept-Encoding: gzip, deflate Host: map.geosetter.de Connection: Keep-Alive
Oct 31, 2024 22:22:58.047349930 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2024 21:22:57 GMT Content-Type: text/css Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Last-Modified: Sun, 27 Nov 2022 02:20:23 GMT ETag: W/"36b1-5ee6a65b57afb" Content-Encoding: gzip Data Raw: 34 65 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 57 6d 6f db 36 10 fe 5c ff 8a 6b 8b 61 69 60 c5 72 da 74 89 82 6d 1f 86 06 e8 b0 01 05 06 ec eb 40 49 b4 c5 99 12 39 92 b2 1d 07 fe ef bb a3 2c eb 3d c9 b0 00 49 24 f2 e1 bd f1 ee b9 d3 e2 12 0c ff a7 14 86 a7 60 dd a3 e4 16 2e 17 b3 d9 95 e4 6c 25 b9 0b 34 2b f8 bc 79 75 42 b6 5f 73 66 36 dc 04 22 51 c5 70 d5 66 2c 55 bb de e1 00 a1 8e 89 82 9b 79 57 09 fc 04 76 bb 1e 2e 26 ac d8 32 db 5a 3f 28 95 07 b1 da b7 96 44 ce d6 3c 90 ec b1 23 d5 bf c3 d3 ec 8d 56 56 38 a1 8a 08 58 6c 95 2c 1d bf 9f bd 91 7c e5 22 08 f1 c9 29 5d 3d 1c 9b b3 67 2b e9 bc da 72 b3 92 6a 17 41 26 d2 94 17 5d e8 7f 0f 09 c9 0c 76 3c de 08 17 94 96 96 b9 e4 09 5a 53 a8 82 4c 03 80 20 57 87 a9 3d ff 33 be d7 91 9a 1a b6 3e ef 1d 67 8b 4b f8 66 f8 96 17 ce c2 d7 2f cb 25 ac 8c ca d1 a3 75 26 f1 d7 89 62 0d e4 8a 05 51 40 2c 4b 4e 79 d0 71 32 8a 2a 7d 18 49 f2 20 66 c9 66 6d 54 59 a4 11 38 c3 0a ab 99 41 e1 f7 33 af ea 0f b6 62 46 60 6e 15 29 37 96 ac 08 0c 47 25 cc 2b 01 14 71 7a 8d [TRUNCATED] Data Ascii: 4e0Wmo6\kai`rtm@I9,=I$`.l%4+yuB_sf6"Qpf,UyWv.&2Z?(D<#VV8Xl,\|")]=g+rjA&]v<ZSL W=3>gKf/%u&bQ@,KNyq2}I ffmTY8A3bF`n)7G%+qzspL9_24SvmmdPF&:GCi'rqr0xdetl>o,ML2v/@R;%y"X~CG2No-peZ`}ej'U{$"=B7RHnu(0C~-\YW{i<<X*2Q(OndD4%\+?e~.j,W}<hoB+7X#L2Or{ZaIEm=O]JOQQ@ILJb02$e"dWc\oYwbi=4UX-N30!RkH`/0],?ws>}o%$R}e!CSVm=NhIoAm8AKu{=>06S)sNhAH$FT#A.lvU?0pjpOp6m`1]ud(pm)%mM.p?]Sa]MG
Oct 31, 2024 22:22:58.047368050 CET	289	IN	Data Raw: 03 d4 60 b7 b9 24 ef 35 6f 37 f7 6e 67 f7 6f 24 1e b1 7e 68 e2 d8 e6 04 15 4e 69 e4 c5 fb 94 af 58 29 dd fb 3f 7f ff 0d 4b a6 e9 d6 a2 90 58 7f 41 dd b4 47 07 58 b4 84 f2 cf cf 34 4a 42 8d a1 01 a5 33 c1 d7 80 ce 20 6c b8 c4 96 be e5 c3 a4 d6 4a Data Ascii: `$5o7ngo$~hNiX)?KXAGX4JB3 lJXA5EkNo{@_]l;7uO}aWrbQ775fIXoZh4p3zhk!`z7v'{ygNVtt>}cC
Oct 31, 2024 22:22:58.047635078 CET	1236	IN	Data Raw: 33 62 62 0d 0a ac 59 6d 6f da 30 10 fe 2b 56 d1 d6 21 05 06 81 b4 08 3e 55 fb b2 0f db fe 83 93 38 c1 5a 4a 50 5e 5a 3a a9 ff 7d e7 b7 c4 8e ed 24 95 0a 42 02 e7 72 be 17 e7 ee 79 0e 53 92 bf a6 25 df 47 2d ee 6a cd 88 0f 5b 47 83 13 41 11 2d 71 Data Ascii: 3bbYmo0+V!>U8ZJP^Z:}$BryS%G-j[GA-q2 V=zI9Jcuh2k,Q6&(mxr]zrhVc%WLPn;&KK12\Bj`3/~!Xm3yc]HyO^/W1S54ej'
Oct 31, 2024 22:22:58.047667027 CET	650	IN	Data Raw: ab b7 a9 c8 15 e5 a6 5e 3a e1 f9 d3 9c c6 e5 1a aa 8c 52 c8 3f e8 fe 44 e1 72 6c f8 96 6e d5 9a eb 10 15 41 1a cf 00 13 58 e9 14 a9 e0 b5 73 c8 81 f3 b3 c1 05 11 8e f4 c1 db a1 7b 3d 70 49 8f 6a c1 a6 b7 ce 05 8e 49 80 d1 f6 62 c6 ed ec bd 40 35 Data Ascii: ^:R?DrlnAXs{=pIjIb@5%laXX}FiuD&Pbnw5ndw$q[9'X%7VCdL CB/R;_<fd"y=P30^C17J$\*NU_M
Oct 31, 2024 22:22:58.047866106 CET	419	IN	Data Raw: 31 39 63 0d 0a 94 5b c1 6a c3 30 0c 3d b7 5f 51 7a cf 60 29 14 c2 2e 63 df b0 1f 48 89 4b 53 08 85 a4 2b bb ec df 27 4b 8e 6d 29 52 9d 5e 6d 45 71 a4 58 7a 92 9f 4d a9 45 9e 5e e3 c4 92 f8 1c 27 c2 f6 cb 6a c6 a6 69 52 ca ee fa 07 d5 84 2c 6b c3 Data Ascii: 19c[j0=_Qz`).cHKS+'Km)R^mEqXzME^'jiR,k(fVT8<)&V`~O <~q;:}i'(ep@)[K;kc?al;?qm_a28s!9K)m[F"wycdutgAtw6
Oct 31, 2024 22:22:58.047883034 CET	20	IN	Data Raw: 61 0d 0a 03 00 fc 79 07 af b1 36 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ay60

Timestamp	Bytes transferred	Direction	Data
2024-10-31 21:23:47 UTC	236	OUT	GET /~phil/exiftool/rss.xml HTTP/1.1 Pragma: no-cache Host: owl.phy.queensu.ca Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
2024-10-31 21:23:47 UTC	292	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 31 Oct 2024 21:23:47 GMT Server: Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1k mod_fcgid/2.3.9 mod_perl/2.0.12 Perl/v5.26.3 Location: http://exiftool.org/rss.xml Content-Length: 235 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-10-31 21:23:47 UTC	235	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 65 78 69 66 74 6f 6f 6c 2e 6f 72 67 2f 72 73 73 2e 78 6d 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://exiftool.org/rss.xml">here</a>.</p></body></html>

Target ID:	0
Start time:	17:22:10
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\geosetter_setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\geosetter_setup.exe"
Imagebase:	0x400000
File size:	24'564'453 bytes
MD5 hash:	6C8AAC98AC0F743037C412B513A6A3A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	17:22:48
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll"
Imagebase:	0x830000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	17:22:50
Start date:	31/10/2024
Path:	C:\Program Files (x86)\GeoSetter\GeoSetter.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\GeoSetter\GeoSetter.exe"
Imagebase:	0x400000
File size:	11'988'480 bytes
MD5 hash:	010F18D793587CEB5E31D53455F461A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000000.2454380438.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	9
Start time:	17:22:53
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -listx
Imagebase:	0x400000
File size:	8'340'681 bytes
MD5 hash:	CB2157B42F3AB50ED1A1977F995223E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	17:23:46
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -lang
Imagebase:	0x400000
File size:	8'340'681 bytes
MD5 hash:	CB2157B42F3AB50ED1A1977F995223E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	16
Start time:	17:23:51
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GeoSetter\tools\exiftool.exe" -ver
Imagebase:	0x400000
File size:	8'340'681 bytes
MD5 hash:	CB2157B42F3AB50ED1A1977F995223E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Execution Coverage:	23.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.9%
Total number of Nodes:	1539
Total number of Limit Nodes:	24

Execution Coverage:	15.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	108

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report geosetter_setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\GeoSetter\DelZip190.dll (copy)

C:\Program Files (x86)\GeoSetter\GeoSetter.exe (copy)

C:\Program Files (x86)\GeoSetter\GeoSetterShellExt.dll (copy)

C:\Program Files (x86)\GeoSetter\GeoSetterShellExt64.dll (copy)

C:\Program Files (x86)\GeoSetter\cameras.txt (copy)

C:\Program Files (x86)\GeoSetter\dcrawlib.dll (copy)

C:\Program Files (x86)\GeoSetter\help\GeoSetter-DE.chm (copy)

C:\Program Files (x86)\GeoSetter\help\GeoSetter-EN.chm (copy)

C:\Program Files (x86)\GeoSetter\help\is-0NEIU.tmp

C:\Program Files (x86)\GeoSetter\help\is-UIS00.tmp

C:\Program Files (x86)\GeoSetter\ielib32.dll (copy)

C:\Program Files (x86)\GeoSetter\is-07QKO.tmp

C:\Program Files (x86)\GeoSetter\is-1BDNO.tmp

Windows Analysis Report
geosetter_setup.exe

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	619
Total number of Limit Nodes:	16

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	359
Total number of Limit Nodes:	42

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre