Loading ...

Play interactive tourEdit tour

Windows Analysis Report 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe

Overview

General Information

Sample Name:16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe
Analysis ID:541989
MD5:8205d65f76fa63e73b7685faf647a048
SHA1:79ea7b6dda9d45f021150d57ce90f340cef35940
SHA256:16c6a61f609b7ef5cd13fc587805018efad3be42545912f4281adde004cf928b
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

GuLoader RedLine SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Yara detected GuLoader
Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Injects a PE file into a foreign processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
.NET source code references suspicious native API functions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe" MD5: 8205D65F76FA63E73B7685FAF647A048)
    • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • 72E0.exe (PID: 1904 cmdline: C:\Users\user\AppData\Local\Temp\72E0.exe MD5: F2F8A2B12CB2E41FFBE135B6ED9B5B7C)
        • 72E0.exe (PID: 5272 cmdline: C:\Users\user\AppData\Local\Temp\72E0.exe MD5: F2F8A2B12CB2E41FFBE135B6ED9B5B7C)
        • 72E0.exe (PID: 5456 cmdline: C:\Users\user\AppData\Local\Temp\72E0.exe MD5: F2F8A2B12CB2E41FFBE135B6ED9B5B7C)
          • WerFault.exe (PID: 3404 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 8 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • 2923.exe (PID: 2408 cmdline: C:\Users\user\AppData\Local\Temp\2923.exe MD5: A6995D610D05F1BEFD4D55A11C8316A2)
      • 495E.exe (PID: 6032 cmdline: C:\Users\user\AppData\Local\Temp\495E.exe MD5: EC1105BE312FD184FFC9D7F272D64B87)
  • hrsafib (PID: 784 cmdline: C:\Users\user\AppData\Roaming\hrsafib MD5: 8205D65F76FA63E73B7685FAF647A048)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "86.107.197.138:38133"}

Threatname: GuLoader

{"Payload URL": "http://185.112.83.8/InjectHollowing.bin"}

Threatname: SmokeLoader

{"C2 list": ["http://rcacademy.at/upload/", "http://e-lanpengeonline.com/upload/", "http://vjcmvz.cn/upload/", "http://galala.ru/upload/", "http://witra.ru/upload/"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_60bf1a1728929f938e749327f53c25cfc2e1c9_85207d7d_0c54a73a\Report.werSUSP_WER_Suspicious_Crash_DirectoryDetects a crashed application executed in a suspicious directoryFlorian Roth
  • 0x116:$a1: ReportIdentifier=
  • 0x198:$a1: ReportIdentifier=
  • 0x62e:$a2: .Name=Fault Module Name
  • 0x1954:$a3: AppPath=

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000000.463624409.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000015.00000002.464101376.0000000004021000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0000000A.00000000.355465568.0000000004DE1000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000010.00000002.458737340.00000000008D0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          0000001B.00000002.551893990.0000000002280000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              27.2.2923.exe.24c562e.5.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                21.2.72E0.exe.4144c30.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  27.2.2923.exe.24c6516.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    23.0.72E0.exe.400000.7.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 25 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://45.9.20.240:7769/Igno.exeAvira URL Cloud: Label: malware
                      Source: http://185.112.83.8/install3.exeAvira URL Cloud: Label: malware
                      Source: http://galala.ru/upload/Avira URL Cloud: Label: malware
                      Source: http://witra.ru/upload/Avira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 00000015.00000002.464101376.0000000004021000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "86.107.197.138:38133"}
                      Source: 00000010.00000002.458737340.00000000008D0000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://rcacademy.at/upload/", "http://e-lanpengeonline.com/upload/", "http://vjcmvz.cn/upload/", "http://galala.ru/upload/", "http://witra.ru/upload/"]}
                      Source: 0000001F.00000002.551209430.0000000002800000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://185.112.83.8/InjectHollowing.bin"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeVirustotal: Detection: 40%Perma Link
                      Source: 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeReversingLabs: Detection: 48%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: rcacademy.atVirustotal: Detection: 11%Perma Link
                      Source: http://e-lanpengeonline.com/upload/Virustotal: Detection: 15%Perma Link
                      Source: http://185.112.83.8/InjectHollowing.binVirustotal: Detection: 5%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\495E.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\AppData\Local\Temp\72E0.exeReversingLabs: Detection: 60%
                      Source: C:\Users\user\AppData\Roaming\hrsafibReversingLabs: Detection: 72%
                      Machine Learning detection for sampleShow sources
                      Source: 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\2923.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\72E0.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\hrsafibJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\2923.exeUnpacked PE file: 27.2.2923.exe.400000.0.unpack
                      Source: 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.3:49794 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.3:49800 version: TLS 1.2
                      Source: Binary string: C:\sicijur\wecuxowixa-dan\ros.pdb source: 2923.exe, 0000001B.00000000.463292028.0000000000401000.00000020.00020000.sdmp, 2923.exe.10.dr
                      Source: Binary string: _.pdb source: 2923.exe, 0000001B.00000002.551893990.0000000002280000.00000004.00020000.sdmp, 2923.exe, 0000001B.00000002.556254868.0000000002485000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000003.474803638.00000000007E4000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000003.475688697.0000000000811000.00000004.00000001.sdmp
                      Source: Binary string: C:\fiyupadasabuw70-dida.pdb source: 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe, hrsafib.10.dr
                      Source: Binary string: =oGC:\fiyupadasabuw70-dida.pdb source: 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe, hrsafib.10.dr
                      Source: Binary string: :C:\sicijur\wecuxowixa-dan\ros.pdb source: 2923.exe, 0000001B.00000000.463292028.0000000000401000.00000020.00020000.sdmp, 2923.exe.10.dr

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeNetwork Connect: 45.9.20.240 89
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeDomain query: www.bastinscustomfab.com
                      Source: C:\Windows\explorer.exeDomain query: rcacademy.at
                      Source: C:\Windows\explorer.exeDomain query: bastinscustomfab.com
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 7769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 7769 -> 49812
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://185.112.83.8/InjectHollowing.bin
                      Source: Malware configuration extractorURLs: http://rcacademy.at/upload/
                      Source: Malware configuration extractorURLs: http://e-lanpengeonline.com/upload/
                      Source: Malware configuration extractorURLs: http://vjcmvz.cn/upload/
                      Source: Malware configuration extractorURLs: http://galala.ru/upload/
                      Source: Malware configuration extractorURLs: http://witra.ru/upload/
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 17 Dec 2021 07:07:38 GMTAccept-Ranges: bytesETag: "8d927cc614f3d71:0"Server: Microsoft-IIS/10.0Date: Sat, 18 Dec 2021 12:20:32 GMTContent-Length: 94424Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 a6 2f 02 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 48 0e 00 00 00 00 00 00 00 00 00 00 88 5c 01 00 50 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 48 0e 00 00 00 c0 04 00 00 10 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: GET /attachments/921473641538027521/921473810035793960/Vorticism.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bastinscustomfab.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.bastinscustomfab.comCookie: PHPSESSID=4291b63b147dbc96c8447ef4e6b34353
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pphvdhmymq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xbqjtgjf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uktbenuhb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vavfsrwv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oswrpx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ygckrp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jwenajppq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bvoalid.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gpoxtoqxts.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kowlcxkrxm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://paxlqyqne.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iafxr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xolkmhfa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rlvebdfqac.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dgnpkbsira.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rhmdvbyxpf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hrplwete.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crilbsj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tstsiyr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vamkc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fervjudllq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fwcoldg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://biwiddkhtr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://unhpucf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://onkdfwky.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xwtemmnbe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cscsqu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://otsgwcwsr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: GET /Igno.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.20.240:7769
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vlcobvr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ckmkwsxfy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xiddinjdsd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dmkdo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gfxvjd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tfefgq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://glqniasaag.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gafyxw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eovdxsh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvmvooh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vjamgcp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: GET /install3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ckpla.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://geohcb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhhhve.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://darkctngc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gtdbxjj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fkgfm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kbcjv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hfgkp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://adxfem.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: rcacademy.at
                      Source: Joe Sandbox ViewIP Address: 41.41.255.235 41.41.255.235
                      Source: global trafficTCP traffic: 192.168.2.3:49812 -> 45.9.20.240:7769
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: 495E.exe.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: 495E.exe.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: WerFault.exe, 0000001D.00000002.509080152.0000000003308000.00000004.00000020.sdmp, WerFault.exe, 0000001D.00000003.506310848.0000000003308000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 495E.exe.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: 495E.exe.10.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: 495E.exe.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: 495E.exe.10.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                      Source: 495E.exe.10.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: 495E.exe.10.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: 495E.exe.10.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.557693182.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: 495E.exe.10.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: 2923.exe, 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560306827.00000000039AE000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559968660.0000000002DF4000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559160589.0000000002C44000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560120083.00000000038D7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560678718.0000000003A91000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560535821.0000000003A20000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558296219.00000000029FD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559540490.0000000002D33000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 72E0.exe, 00000015.00000002.464101376.0000000004021000.00000004.00000001.sdmp, 72E0.exe, 00000015.00000002.464248188.0000000004198000.00000004.00000001.sdmp, 72E0.exe, 00000017.00000000.463624409.0000000000402000.00000040.00000001.sdmp, 2923.exe, 0000001B.00000002.560120083.00000000038D7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.551893990.0000000002280000.00000004.00020000.sdmp, 2923.exe, 0000001B.00000002.555917534.0000000002430000.00000004.00020000.sdmp, 2923.exe, 0000001B.00000002.556254868.0000000002485000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000003.474803638.00000000007E4000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560306827.00000000039AE000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559968660.0000000002DF4000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559160589.0000000002C44000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560120083.00000000038D7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560678718.0000000003A91000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560535821.0000000003A20000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558296219.00000000029FD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559540490.0000000002D33000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559968660.0000000002DF4000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559160589.0000000002C44000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560120083.00000000038D7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560678718.0000000003A91000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558296219.00000000029FD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559540490.0000000002D33000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabP
                      Source: 2923.exe, 0000001B.00000002.560306827.00000000039AE000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560535821.0000000003A20000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabp
                      Source: 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560306827.00000000039AE000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559968660.0000000002DF4000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559160589.0000000002C44000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560120083.00000000038D7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560678718.0000000003A91000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560535821.0000000003A20000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558296219.00000000029FD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559540490.0000000002D33000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560306827.00000000039AE000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559968660.0000000002DF4000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559160589.0000000002C44000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560120083.00000000038D7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560678718.0000000003A91000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560535821.0000000003A20000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558296219.00000000029FD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559540490.0000000002D33000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: 495E.exe.10.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: 2923.exeString found in binary or memory: https://www.ecosia.org/search?q=
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560306827.00000000039AE000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559968660.0000000002DF4000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559160589.0000000002C44000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560120083.00000000038D7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560678718.0000000003A91000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.560535821.0000000003A20000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558296219.00000000029FD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558029508.0000000002947000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559540490.0000000002D33000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559278660.0000000002C5A000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558863098.0000000002B82000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558530306.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownDNS traffic detected: queries for: rcacademy.at
                      Source: global trafficHTTP traffic detected: GET /attachments/921473641538027521/921473810035793960/Vorticism.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bastinscustomfab.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.bastinscustomfab.comCookie: PHPSESSID=4291b63b147dbc96c8447ef4e6b34353
                      Source: global trafficHTTP traffic detected: GET /Igno.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.20.240:7769
                      Source: global trafficHTTP traffic detected: GET /install3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 18 Dec 2021 12:20:16 GMTServer: ApacheX-Powered-By: PHP/7.3.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.bastinscustomfab.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: 2923.exe, 0000001B.00000002.558395661.0000000002A13000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558684249.0000000002AD7000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559665584.0000000002D49000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmp, 2923.exe, 0000001B.00000002.559407944.0000000002CBD000.00000004.00000001.sdmpString found in binary or memory: :m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                      Source: 2923.exe, 0000001B.00000002.558935211.0000000002B99000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                      Source: unknownHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pphvdhmymq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: rcacademy.at
                      Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.3:49794 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.3:49800 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 0.2.16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe.980e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.hrsafib.8b0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.3.hrsafib.8c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.hrsafib.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000000.355465568.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.458737340.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.444232166.00000000008C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.365139962.0000000000AB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.365164122.0000000000AD1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.458868495.0000000000A11000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.309928916.0000000000990000.00000004.00000001.sdmp, type: MEMORY
                      Source: 16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe, 00000000.00000002.365186953.0000000000B4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\AppData\Local\Temp\72E0.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 8
                      Source: C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeCode function: 0_2_0040A763
                      Source: C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeCode function: 0_2_0040C075
                      Source: C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeCode function: 0_2_0040DA12
                      Source: C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeCode function: 0_2_0040BB31
                      Source: C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exeCode function: 0_2_0040C5B9
                      Source: C:\Users\user\AppData\Roaming\hrsafibCode function: 16_2_0040A763
                      Source: C:\Users\user\AppData\Roaming\hrsafibCode function: 16_2_0040C075
                      Source: C:\Users\user\AppData\Roaming\hrsafibCode function: 16_2_0040DA12