Play interactive tour

Edit tour

Windows Analysis Report d32Z71Q0wT.exe

Overview

General Information

Sample Name:	d32Z71Q0wT.exe
Analysis ID:	528741
MD5:	22881f3c6d61c70b25ff28654b6961e5
SHA1:	90d344108bb0ba41e068080443a4bd42c25bdf54
SHA256:	a2b6c4286d9de9cded676840936ce2446a5244d5e415613404eae6430efc8c58
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Detected unpacking (overwrites its own PE header)

Detected unpacking (changes PE section rights)

Tries to steal Crypto Currency Wallets

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

d32Z71Q0wT.exe (PID: 3280 cmdline: "C:\Users\user\Desktop\d32Z71Q0wT.exe" MD5: 22881F3C6D61C70B25FF28654B6961E5)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["193.56.146.64:65441"], "Bot Id": "udptest"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: d32Z71Q0wT.exe PID: 3280	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: d32Z71Q0wT.exe PID: 3280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.d32Z71Q0wT.exe.3c50000.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3ba60c6.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3990000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3ba51de.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3c50000.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3990ee8.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3990ee8.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3ba51de.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.d32Z71Q0wT.exe.1e87920.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3990000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.d32Z71Q0wT.exe.3ba60c6.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.d32Z71Q0wT.exe.1e87920.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.d32Z71Q0wT.exe.3ba51de.4.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["193.56.146.64:65441"], "Bot Id": "udptest"}

Machine Learning detection for sample

Show sources

Source: d32Z71Q0wT.exe

Joe Sandbox ML: detected

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Unpacked PE file: 0.2.d32Z71Q0wT.exe.400000.0.unpack

Source: d32Z71Q0wT.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: _.pdb source: d32Z71Q0wT.exe, 00000000.00000003.672125840.0000000001EB3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp, d32Z71Q0wT.exe, 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp
Source:	Binary string: JC:\ruyabefufevawi\vew5_kas\cagorarodaki\xiyakud39\ripa\vikavazan\w.pdbP source: d32Z71Q0wT.exe
Source:	Binary string: C:\ruyabefufevawi\vew5_kas\cagorarodaki\xiyakud39\ripa\vikavazan\w.pdb source: d32Z71Q0wT.exe

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: Joe Sandbox View

IP Address: 193.56.146.64 193.56.146.64

Source: global traffic

TCP traffic: 192.168.2.4:49686 -> 193.56.146.64:65441

Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64
Source: unknown	TCP traffic detected without corresponding DNS query: 193.56.146.64

Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j

Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://forms.rea
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://go.micros
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://service.r
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://support.a
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromex
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: d32Z71Q0wT.exe, 00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp, d32Z71Q0wT.exe, 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp, d32Z71Q0wT.exe, 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabx
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://get.adob
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.ad
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: d32Z71Q0wT.exe, 00000000.00000002.724166338.0000000001E0A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: d32Z71Q0wT.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00408C60
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0040DC11
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00407C3F
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00418CCC
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00406CA0
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_004028B0
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0041A4BE
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00418244
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00401650
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00402F20
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_004193C4
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00418788
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00402F89
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00402B90
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_004073A0
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_03920F1A
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_03920C30
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_03920C20

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Code function: String function: 0040E1D8 appears 44 times

Source: d32Z71Q0wT.exe	Binary or memory string: OriginalFilename vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameHereabouts.exe4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.723879529.000000000043B000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameHereabouts.exe4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000003.672125840.0000000001EB3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_.dll4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameHereabouts.exe4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000003.671147886.00000000038A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHereabouts.exe4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHereabouts.exe4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_.dll4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHereabouts.exe4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHereabouts.exe4 vs d32Z71Q0wT.exe
Source: d32Z71Q0wT.exe, 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_.dll4 vs d32Z71Q0wT.exe

Source: d32Z71Q0wT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d32Z71Q0wT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: d32Z71Q0wT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: d32Z71Q0wT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Command line argument: 08A

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: d32Z71Q0wT.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: d32Z71Q0wT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: d32Z71Q0wT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: d32Z71Q0wT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: d32Z71Q0wT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: d32Z71Q0wT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: d32Z71Q0wT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: d32Z71Q0wT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: d32Z71Q0wT.exe, 00000000.00000003.672125840.0000000001EB3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp, d32Z71Q0wT.exe, 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp
Source:	Binary string: JC:\ruyabefufevawi\vew5_kas\cagorarodaki\xiyakud39\ripa\vikavazan\w.pdbP source: d32Z71Q0wT.exe
Source:	Binary string: C:\ruyabefufevawi\vew5_kas\cagorarodaki\xiyakud39\ripa\vikavazan\w.pdb source: d32Z71Q0wT.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Unpacked PE file: 0.2.d32Z71Q0wT.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Unpacked PE file: 0.2.d32Z71Q0wT.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0041C40C push cs; iretd
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00423149 push eax; ret
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0041C50E push cs; iretd
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_004231C8 push eax; ret
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0040E21D push ecx; ret
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0041C6BE push ebx; ret
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0044B58C push edx; retn 0004h
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00449990 push ecx; mov dword ptr [esp], 00000000h
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_01E1B5A6 push FFFFFFE1h; ret
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_01E1E4F1 push edi; retf
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_01E1E3E4 push ecx; iretd
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_03924BA5 push edi; ret

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Source: initial sample

Static PE information: section name: .text entropy: 7.51602349785

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe TID: 4600	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe TID: 5876	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Window / User API: threadDelayed 569
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Window / User API: threadDelayed 1195

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Thread delayed: delay time: 922337203685477

Source: d32Z71Q0wT.exe, 00000000.00000002.724295754.0000000001E70000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: d32Z71Q0wT.exe, 00000000.00000002.729931846.0000000007CB0000.00000040.00000001.sdmp	Binary or memory string: #HGfSj
Source: d32Z71Q0wT.exe, 00000000.00000002.724295754.0000000001E70000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareMAHCABPLWin32_VideoControllerVR5TATOGVideoController120060621000000.000000-000941.4138display.infMSBDAZX_M9UC5PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsY166ZPN99
Source: d32Z71Q0wT.exe, 00000000.00000002.724349866.0000000001ED5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Code function: 0_2_01E19AA3 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe

Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Source: d32Z71Q0wT.exe, 00000000.00000002.728620008.0000000007098000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728764058.0000000007118000.00000004.00000001.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3c50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba60c6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba51de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3c50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba51de.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d32Z71Q0wT.exe.1e87920.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba60c6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d32Z71Q0wT.exe.1e87920.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d32Z71Q0wT.exe PID: 3280, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: ElectrumE#
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: JaxxE#
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: ExodusE#
Source: d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	String found in binary or memory: EthereumE#
Source: d32Z71Q0wT.exe, 00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\d32Z71Q0wT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Source: Yara match

File source: Process Memory Space: d32Z71Q0wT.exe PID: 3280, type: MEMORYSTR

Remote Access Functionality:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3c50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba60c6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba51de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3c50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba51de.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d32Z71Q0wT.exe.1e87920.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3990000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d32Z71Q0wT.exe.3ba60c6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d32Z71Q0wT.exe.1e87920.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d32Z71Q0wT.exe PID: 3280, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Path Interception	Masquerading1	OS Credential Dumping1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Input Capture1	Security Software Discovery261	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion231	Security Account Manager	Virtualization/Sandbox Evasion231	SMB/Windows Admin Shares	Data from Local System3	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing22	Cached Domain Credentials	System Information Discovery134	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
d32Z71Q0wT.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://service.r	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chromex	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtab	d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	false		high
http://service.r	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/ac/?q=	d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id12Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id21Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id9	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id8	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id4	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_real	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id19Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_pdf	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id15Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
http://support.a	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id6Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
https://api.ip.sb/ip	d32Z71Q0wT.exe, 00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp, d32Z71Q0wT.exe, 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp, d32Z71Q0wT.exe, 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/sc	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id9Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	d32Z71Q0wT.exe, 00000000.00000002.727057142.000000000439B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726554120.00000000041E3000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726498901.00000000041CD000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725928418.0000000004049000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727837638.00000000050E0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727554351.0000000004FAB000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.728124901.00000000051C2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727958393.0000000005151000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727675249.000000000501C000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726169352.000000000410B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726805547.00000000042DA000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id20	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id23	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id24	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id24Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
http://forms.rea	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id10	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.interoperabilitybridges.com/wmp-extension-for-chromex	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id13	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id17	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id10Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://tempuri.org/Entity/Id8Response	d32Z71Q0wT.exe, 00000000.00000002.725639144.0000000003ED1000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_wmp	d32Z71Q0wT.exe, 00000000.00000002.726010763.000000000405F000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726879938.00000000042F0000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.727123029.00000000043B2000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726637994.000000000424B000.00000004.00000001.sdmp, d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/answer/6258784	d32Z71Q0wT.exe, 00000000.00000002.726239511.0000000004121000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	d32Z71Q0wT.exe, 00000000.00000002.725700604.0000000003F64000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.56.146.64	unknown	unknown		10753	LVLT-10753US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528741
Start date:	25.11.2021
Start time:	18:21:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	d32Z71Q0wT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.4% (good quality ratio 11%) Quality average: 84.5% Quality standard deviation: 23.5%
HCA Information:	Successful, ratio: 67% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:22:41	API Interceptor	10x Sleep call for process: d32Z71Q0wT.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
193.56.146.64	n3ZB11gmgx.exe	Get hash	malicious	Browse
	lUutlamdAP.exe	Get hash	malicious	Browse
	JVOevQSmez.exe	Get hash	malicious	Browse
	tgrnZru3Ux.exe	Get hash	malicious	Browse
	kWe1P2w4cy.exe	Get hash	malicious	Browse
	9qifkNvPb8.exe	Get hash	malicious	Browse
	AOE3ZrAHCZ.exe	Get hash	malicious	Browse
	7ux5Q0EZQH.exe	Get hash	malicious	Browse
	QVRDRyonIY.exe	Get hash	malicious	Browse
	pLKSFlouAv.exe	Get hash	malicious	Browse
	uzViZJ5hxU.exe	Get hash	malicious	Browse
	aebCfcwHy0.exe	Get hash	malicious	Browse
	5o2bRAvHx9.exe	Get hash	malicious	Browse
	2ce1WYKMsA.exe	Get hash	malicious	Browse
	Kod7jprn7K.exe	Get hash	malicious	Browse
	2LG87UfOTH.exe	Get hash	malicious	Browse
	4Lkdxnkt9M.exe	Get hash	malicious	Browse
	t2E05q13ox.exe	Get hash	malicious	Browse
	I3O28Z5uqy.exe	Get hash	malicious	Browse
	Hf34l6qunJ.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LVLT-10753US	n3ZB11gmgx.exe	Get hash	malicious	Browse	193.56.146.64
	OPKyR75fJn.exe	Get hash	malicious	Browse	193.56.146.36
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	193.56.146.36
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	193.56.146.36
	lUutlamdAP.exe	Get hash	malicious	Browse	193.56.146.64
	44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe	Get hash	malicious	Browse	193.56.146.36
	77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe	Get hash	malicious	Browse	193.56.146.36
	22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe	Get hash	malicious	Browse	193.56.146.36
	zMvP34LhcZ.exe	Get hash	malicious	Browse	193.56.146.36
	JVOevQSmez.exe	Get hash	malicious	Browse	193.56.146.64
	wmwL0AmWha.exe	Get hash	malicious	Browse	193.56.146.36
	BPjUXSEwuL.exe	Get hash	malicious	Browse	193.56.146.36
	734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe	Get hash	malicious	Browse	193.56.146.36
	utKWcb6Hzs.exe	Get hash	malicious	Browse	193.56.146.36
	6ZYg7h0ynL.exe	Get hash	malicious	Browse	193.56.146.36
	CVfKJhwYQW.exe	Get hash	malicious	Browse	193.56.146.36
	1baYVecsju.exe	Get hash	malicious	Browse	193.56.146.36
	tgrnZru3Ux.exe	Get hash	malicious	Browse	193.56.146.64
	F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe	Get hash	malicious	Browse	193.56.146.36
	kWe1P2w4cy.exe	Get hash	malicious	Browse	193.56.146.64

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d32Z71Q0wT.exe.log Download File
Process:	C:\Users\user\Desktop\d32Z71Q0wT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2291
Entropy (8bit):	5.3192079301865585
Encrypted:	false
SSDEEP:	48:MIHK5HKXRfHK7HKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHK1HxLHG1qHqH5HX:Pq5qXdq7qLqdqUqzcGYqhQnoPtIxHbqG
MD5:	B480B5E2E0D8EB6CC658782575F52F35
SHA1:	5E0440E4E0005F9084A7061FF942618083DD400A
SHA-256:	1A8388CF5706484514C6358BCA4DFFE463A1AE1A1BEAB38DB480B3CB262EE14E
SHA-512:	DEADF1B8FB8DC8AC7E4AC8D2E36E48CDB20E3B6E6431C465BF81C9B26731CAFFB85537F7AA5762B9479528092209B29FAC84317A3AAF3EEE1D9E0E8617786732
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.593386354237363
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	d32Z71Q0wT.exe
File size:	414208
MD5:	22881f3c6d61c70b25ff28654b6961e5
SHA1:	90d344108bb0ba41e068080443a4bd42c25bdf54
SHA256:	a2b6c4286d9de9cded676840936ce2446a5244d5e415613404eae6430efc8c58
SHA512:	aa57847eb66727fd72fd66ed5cfbeb46e14bdf1c03a17ed9fa9137d864de0aadd80036ef1d806e81b714ccfe0661d9e1831e3c4355b85ecf9523fedc6bf9d889
SSDEEP:	6144:os/8DawW7XxngvaXXAHBIRM0ff/SzpIsLsX:X8DaqaXXA+i0ff/STLs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#...p...p...p..Wp...p..bp...p..Vp...p..op...p...pa..p..Sp...p..fp...p..ap...pRich...p........PE..L...R.&_...................

File Icon


Icon Hash:	a2e8e8e8aaa2a488

Static PE Info

General
Entrypoint:	0x433040
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5F26C552 [Sun Aug 2 13:53:22 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ee6524c22cc0cf74d4c47508c44cd3e2

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F9B9CB39E1Bh
call 00007F9B9CB39B26h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0044AD00h
push 00437260h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [0044D064h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401314h]
cmp dword ptr [01C001BCh], 00000000h
jne 00007F9B9CB39B20h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401310h]
call 00007F9B9CB39CA3h
mov dword ptr [ebp-6Ch], eax
call 00007F9B9CB3DC6Bh
test eax, eax
jne 00007F9B9CB39B1Ch
push 0000001Ch
call 00007F9B9CB39C60h
add esp, 04h
call 00007F9B9CB3D5C8h
test eax, eax
jne 00007F9B9CB39B1Ch
push 00000010h
call 00007F9B9CB39C4Dh
add esp, 04h
push 00000001h
call 00007F9B9CB3D513h
add esp, 04h
call 00007F9B9CB3B1CBh
mov dword ptr [ebp-04h], 00000000h
call 00007F9B9CB3ADAFh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b2e4	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1802000	0x67f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1809000	0x17cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x32e68	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3c4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4ba02	0x4bc00	False	0.748359503919	data	7.51602349785	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x4d000	0x17b41c0	0x1400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1802000	0x67f8	0x6800	False	0.53662109375	data	5.52301875313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1809000	0x1143c	0x11600	False	0.0749494154676	data	0.972181558947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x1806820	0x2	data	Divehi; Dhivehi; Maldivian	Maldives
YONAMIKORUFENI	0x18058c0	0xee8	ASCII text, with very long lines, with no line terminators	Spanish	Panama
RT_CURSOR	0x1806828	0x130	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x1806958	0xf0	data	Divehi; Dhivehi; Maldivian	Maldives
RT_CURSOR	0x1806a48	0x10a8	dBase III DBT, version number 0, next free block index 40	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x18024f0	0x8a8	data	Spanish	Panama
RT_ICON	0x1802d98	0x6c8	data	Spanish	Panama
RT_ICON	0x1803460	0x568	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_ICON	0x18039c8	0x10a8	data	Spanish	Panama
RT_ICON	0x1804a70	0x988	data	Spanish	Panama
RT_ICON	0x18053f8	0x468	GLS_BINARY_LSB_FIRST	Spanish	Panama
RT_STRING	0x1807c50	0xfc	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1807d50	0x252	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1807fa8	0x458	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1808400	0x26e	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1808670	0x184	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x18067a8	0x78	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x1807af0	0x30	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x1805860	0x5a	data	Spanish	Panama
RT_VERSION	0x1807b20	0x12c	data	Divehi; Dhivehi; Maldivian	Maldives

Imports

DLL	Import
KERNEL32.dll	UnregisterWait, SetCriticalSectionSpinCount, HeapCompact, lstrcmpA, FindFirstFileW, FindFirstChangeNotificationW, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, CreateJobObjectW, GlobalLock, AddConsoleAliasW, SetVolumeMountPointW, GetComputerNameW, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, CreateNamedPipeW, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, SetCommState, GetSystemWow64DirectoryA, CreateActCtxW, WaitForMultipleObjectsEx, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, FatalAppExitW, GetThreadSelectorEntry, GetCalendarInfoW, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, GetSystemWindowsDirectoryA, ReadConsoleOutputW, SetConsoleCP, DeleteVolumeMountPointW, InterlockedPopEntrySList, GetFileAttributesA, lstrcpynW, SetConsoleMode, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, TerminateProcess, GetAtomNameW, IsDBCSLeadByte, GetModuleFileNameW, lstrcatA, QueryInformationJobObject, GetBinaryTypeW, GetVolumePathNameA, lstrlenW, GetPrivateProfileSectionNamesW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, VerifyVersionInfoW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, FreeLibraryAndExitThread, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, GetLongPathNameA, HeapSize, CreateJobSet, LocalLock, LockFileEx, EnterCriticalSection, VerLanguageNameW, SearchPathA, BuildCommDCBW, FindClose, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, LocalAlloc, MoveFileA, BuildCommDCBAndTimeoutsW, GetExitCodeThread, GetNumberFormatW, SetCurrentDirectoryW, SetFileApisToANSI, QueryDosDeviceW, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, SetNamedPipeHandleState, SetEnvironmentVariableA, GetVolumePathNamesForVolumeNameA, GetDefaultCommConfigA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, FindNextFileW, WriteProfileStringW, VirtualProtect, EnumDateFormatsW, CompareStringA, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CopyFileExA, LocalFileTimeToFileTime, CreateFileW, SetStdHandle, GetFullPathNameA, GetThreadContext, WritePrivateProfileStringW, ExitProcess, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, HeapValidate, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, LeaveCriticalSection, LoadLibraryW, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits
ADVAPI32.dll	GetFileSecurityW
MSIMG32.dll	AlphaBlend

Version Infos

Description	Data
Translations	0x0022 0x023c

Possible Origin

Language of compilation system	Country where language is spoken	Map
Divehi; Dhivehi; Maldivian	Maldives
Spanish	Panama

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:22:26.949352980 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:27.018537998 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:27.018734932 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:27.318273067 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:27.387978077 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:27.432566881 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:29.972871065 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:30.043111086 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:30.089034081 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:36.202575922 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:36.274812937 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:36.274853945 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:36.274938107 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:36.275496006 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:36.323971033 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:39.535655975 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:39.605058908 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:39.652573109 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.010560036 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.081207037 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.104320049 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.175554037 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.230535030 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.321723938 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.391171932 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.397097111 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.466639996 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.511876106 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.593369961 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.663388968 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.663604021 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.678795099 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.748326063 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.793293953 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.835118055 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.904567003 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:40.946135998 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:40.959944963 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:41.030267000 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:41.030864000 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:41.030879021 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:41.031651974 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:41.074398041 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:41.802509069 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:41.873090982 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:41.873729944 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:41.942941904 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:41.944116116 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:42.015896082 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:42.058897018 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:42.126715899 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:42.195751905 CET	65441	49686	193.56.146.64	192.168.2.4
Nov 25, 2021 18:22:42.246351957 CET	49686	65441	192.168.2.4	193.56.146.64
Nov 25, 2021 18:22:42.500879049 CET	49686	65441	192.168.2.4	193.56.146.64

Code Manipulations

Statistics

System Behavior

Analysis Process: d32Z71Q0wT.exe PID: 3280 Parent PID: 5408

General

Start time:	18:22:11
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\d32Z71Q0wT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\d32Z71Q0wT.exe"
Imagebase:	0x400000
File size:	414208 bytes
MD5 hash:	22881F3C6D61C70B25FF28654B6961E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.725147062.0000000003C50000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.724710900.0000000003990000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.671477605.0000000001E87000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.727344652.0000000004F1A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.725068988.0000000003B65000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report d32Z71Q0wT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

System Behavior

Analysis Process: d32Z71Q0wT.exe PID: 3280 Parent PID: 5408