Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2i85zGtHIl.exe

Overview

General Information

Sample Name:2i85zGtHIl.exe
Analysis ID:546457
MD5:5367ca900ff1988ce2ee1c93b241c764
SHA1:9b5ef337871490ed36f31bb18b0b4d318039e23c
SHA256:07bb36227d8121f29c43baae188b43f3d5c4885ef4b20410fca8985235168c68
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to steal Crypto Currency Wallets
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Binary contains a suspicious time stamp
Detected potential crypto function
Yara detected Credential Stealer
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • 2i85zGtHIl.exe (PID: 4972 cmdline: "C:\Users\user\Desktop\2i85zGtHIl.exe" MD5: 5367CA900FF1988CE2EE1C93B241C764)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.150.67.151:31440"], "Bot Id": "svech2"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
2i85zGtHIl.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.327925997.00000000007A2000.00000002.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000000.275405145.00000000007A2000.00000002.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: 2i85zGtHIl.exe PID: 4972JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.2i85zGtHIl.exe.7a0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                2.0.2i85zGtHIl.exe.7a0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 2.2.2i85zGtHIl.exe.7a0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["45.150.67.151:31440"], "Bot Id": "svech2"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 2i85zGtHIl.exeVirustotal: Detection: 44%Perma Link
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A3CAB8 CryptUnprotectData,
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A3D268 CryptUnprotectData,
                  Source: 2i85zGtHIl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 2i85zGtHIl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: global trafficTCP traffic: 192.168.2.3:49750 -> 45.150.67.151:31440
                  Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.151
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: Ji9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                  Source: 2i85zGtHIl.exe, 00000002.00000003.327692175.000000000112B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000003.327726207.000000000112C000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/Ident
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329755939.0000000002E1D000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14V
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                  Source: 2i85zGtHIl.exe, 00000002.00000002.330470320.0000000003D0A000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329403565.0000000002CC2000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329604363.0000000002D83000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.330583634.0000000003D7B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 2i85zGtHIl.exeString found in binary or memory: https://api.ip.sb/ip
                  Source: 2i85zGtHIl.exe, 00000002.00000002.330470320.0000000003D0A000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329403565.0000000002CC2000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329604363.0000000002D83000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.330583634.0000000003D7B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: 2i85zGtHIl.exe, 00000002.00000002.330470320.0000000003D0A000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329403565.0000000002CC2000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329604363.0000000002D83000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.330583634.0000000003D7B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabLW
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                  Source: 2i85zGtHIl.exe, 00000002.00000002.330470320.0000000003D0A000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329403565.0000000002CC2000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329604363.0000000002D83000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.330583634.0000000003D7B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: 2i85zGtHIl.exe, 00000002.00000002.330470320.0000000003D0A000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329403565.0000000002CC2000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329604363.0000000002D83000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.330583634.0000000003D7B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                  Source: 2i85zGtHIl.exe, 00000002.00000002.330470320.0000000003D0A000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329403565.0000000002CC2000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329604363.0000000002D83000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.330583634.0000000003D7B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328307952.0000000000EA0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: 2i85zGtHIl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 2i85zGtHIl.exe, 00000002.00000002.327947704.00000000007BC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDare.exe4 vs 2i85zGtHIl.exe
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 2i85zGtHIl.exe
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328307952.0000000000EA0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2i85zGtHIl.exe
                  Source: 2i85zGtHIl.exeBinary or memory string: OriginalFilenameDare.exe4 vs 2i85zGtHIl.exe
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_0291EC28
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A37FB0
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A30FC8
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A32CF0
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A39B78
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A3BD90
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C09E28
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C094D0
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C02210
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C094C0
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C09A6D
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C073A0
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C073B0
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C018D8
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C011C0
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C011B0
                  Source: 2i85zGtHIl.exeVirustotal: Detection: 44%
                  Source: 2i85zGtHIl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                  Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@1/1@0/1
                  Source: 2i85zGtHIl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 2i85zGtHIl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: 2i85zGtHIl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_02913C78 push esp; iretd
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A3F470 push es; ret
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06A3FE70 push es; ret
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C08F80 push es; ret
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeCode function: 2_2_06C0A720 push es; ret
                  Source: 2i85zGtHIl.exeStatic PE information: 0xA3CD4B7B [Wed Jan 31 04:20:11 2057 UTC]
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWindow / User API: threadDelayed 1546
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWindow / User API: threadDelayed 3021
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exe TID: 6820Thread sleep time: -8301034833169293s >= -30000s
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exe TID: 6464Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeThread delayed: delay time: 922337203685477
                  Source: 2i85zGtHIl.exe, 00000002.00000003.322352331.0000000000F8E000.00000004.00000001.sdmpBinary or memory string: VMware
                  Source: 2i85zGtHIl.exe, 00000002.00000003.322352331.0000000000F8E000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwarePS3YOS4OWin32_VideoControllerEZAEU5YOVideoController120060621000000.000000-000421030.8display.infMSBDAOHY669F1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors2T99N1A6
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328392107.0000000000EE0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Users\user\Desktop\2i85zGtHIl.exe VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: 2i85zGtHIl.exe, 00000002.00000002.328480545.0000000000F75000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 2i85zGtHIl.exe, type: SAMPLE
                  Source: Yara matchFile source: 2.2.2i85zGtHIl.exe.7a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.0.2i85zGtHIl.exe.7a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.327925997.00000000007A2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000000.275405145.00000000007A2000.00000002.00020000.sdmp, type: MEMORY
                  Tries to steal Crypto Currency WalletsShow sources
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: Ji1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: Ji-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                  Source: 2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmpString found in binary or memory: Ji5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Users\user\Desktop\2i85zGtHIl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2i85zGtHIl.exe PID: 4972, type: MEMORYSTR

                  Remote Access Functionality:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 2i85zGtHIl.exe, type: SAMPLE
                  Source: Yara matchFile source: 2.2.2i85zGtHIl.exe.7a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.0.2i85zGtHIl.exe.7a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.327925997.00000000007A2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000000.275405145.00000000007A2000.00000002.00020000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation221Path InterceptionPath InterceptionMasquerading1OS Credential Dumping1Security Software Discovery231Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture1Process Discovery11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion231Security Account ManagerVirtualization/Sandbox Evasion231SMB/Windows Admin SharesData from Local System3Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  2i85zGtHIl.exe44%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://service.r0%URL Reputationsafe
                  http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id90%URL Reputationsafe
                  http://tempuri.org/Entity/Id80%URL Reputationsafe
                  http://tempuri.org/Entity/Id50%URL Reputationsafe
                  http://tempuri.org/Entity/Id40%URL Reputationsafe
                  http://tempuri.org/Entity/Id70%URL Reputationsafe
                  http://tempuri.org/Entity/Id60%URL Reputationsafe
                  http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                  http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                  http://ns.ado/Ident0%URL Reputationsafe
                  http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id14V0%Avira URL Cloudsafe
                  http://support.a0%URL Reputationsafe
                  http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id200%URL Reputationsafe
                  http://tempuri.org/Entity/Id210%URL Reputationsafe
                  http://tempuri.org/Entity/Id220%URL Reputationsafe
                  http://tempuri.org/Entity/Id230%URL Reputationsafe
                  http://tempuri.org/Entity/Id240%URL Reputationsafe
                  http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://forms.rea0%URL Reputationsafe
                  http://tempuri.org/Entity/Id100%URL Reputationsafe
                  http://tempuri.org/Entity/Id110%URL Reputationsafe
                  http://tempuri.org/Entity/Id120%URL Reputationsafe
                  http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id130%URL Reputationsafe
                  http://tempuri.org/Entity/Id140%URL Reputationsafe
                  http://tempuri.org/Entity/Id150%URL Reputationsafe
                  http://tempuri.org/Entity/Id160%URL Reputationsafe
                  http://tempuri.org/Entity/Id170%URL Reputationsafe
                  http://tempuri.org/Entity/Id180%URL Reputationsafe
                  http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id190%URL Reputationsafe
                  http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtab2i85zGtHIl.exe, 00000002.00000002.330470320.0000000003D0A000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329403565.0000000002CC2000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329604363.0000000002D83000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.330583634.0000000003D7B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                        		high
                        http://service.r2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha12i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id21Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id92i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id82i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id52i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id42i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id72i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id62i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                        		high
                                        https://support.google.com/chrome/?p=plugin_real2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.interoperabilitybridges.com/wmp-extension-for-chrome2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://ns.ado/Ident2i85zGtHIl.exe, 00000002.00000003.327692175.000000000112B000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000003.327726207.000000000112C000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://support.google.com/chrome/?p=plugin_pdf2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id15Response2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://tempuri.org/Entity/Id14V2i85zGtHIl.exe, 00000002.00000002.329755939.0000000002E1D000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://forms.real.com/real/realone/download.html?type=rpsp_us2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://support.a2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6Response2i85zGtHIl.exe, 00000002.00000002.329261179.0000000002BE7000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ip2i85zGtHIl.exefalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://support.google.com/chrome/?p=plugin_quicktime2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/sc2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id9Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id202i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id212i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id222i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA12i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id232i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA12i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id242i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id24Response2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id1Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://duckduckgo.com/chrome_newtabLW2i85zGtHIl.exe, 00000002.00000002.329665099.0000000002D99000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://support.google.com/chrome/?p=plugin_shockwave2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://forms.rea2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id102i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id112i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id122i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id16Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id132i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id142i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id152i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id162i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id172i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id182i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id5Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id192i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id10Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renew2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id8Response2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.328969662.0000000002A91000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://support.google.com/chrome/?p=plugin_wmp2i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmp, 2i85zGtHIl.exe, 00000002.00000002.329956845.0000000002F5E000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.02i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID2i85zGtHIl.exe, 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://support.google.com/chrome/answer/62587842i85zGtHIl.exe, 00000002.00000002.329465463.0000000002CD8000.00000004.00000001.sdmpfalse
                                                                                                                                      		high

                                                                                                                                      Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      45.150.67.151
                                                                                                                                      		unknownMontenegro
                                                                                                                                      		61317ASDETUKhttpwwwheficedcomGBtrue

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                      Analysis ID:546457
                                                                                                                                      Start date:30.12.2021
                                                                                                                                      Start time:06:07:12
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 6m 17s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:light
                                                                                                                                      Sample file name:2i85zGtHIl.exe
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                      Number of analysed new started processes analysed:25
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • HDC enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal92.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                      EGA Information:Failed
                                                                                                                                      HDC Information:
                                                                                                                                      • Successful, ratio: 0.1% (good quality ratio 0%)
                                                                                                                                      • Quality average: 24.2%
                                                                                                                                      • Quality standard deviation: 35.4%
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                      • Number of executed functions: 0
                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Adjust boot time
                                                                                                                                      • Enable AMSI
                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                      Warnings:
                                                                                                                                      Show All
                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 23.211.4.86
                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      06:08:23API Interceptor25x Sleep call for process: 2i85zGtHIl.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      No context

                                                                                                                                      Domains

                                                                                                                                      No context

                                                                                                                                      ASN

                                                                                                                                      No context

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2i85zGtHIl.exe.log
                                                                                                                                      Process:C:\Users\user\Desktop\2i85zGtHIl.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2291
                                                                                                                                      Entropy (8bit):5.3192079301865585
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:MOfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHjHKdHAHDJn:vq5qXAqLqdqUqzcGYqhQnoPtIxHbqoL1
                                                                                                                                      MD5:B8B968C6C5994E11C0AEF299F6CC13DF
                                                                                                                                      SHA1:60351148A0D29E39DF51AE7F8D6DA7653E31BCF9
                                                                                                                                      SHA-256:DD53198266985E5C23239DCDDE91B25CF1FC1F4266B239533C11DDF0EF0F958D
                                                                                                                                      SHA-512:CFBCFCB650EF8C84A4BA005404E90ECAC9E77BDB618F53CD5948C085E44D099183C97C1D818A905B16C5E495FF167BD47347B14670A6E68801B0C01BC264F168
                                                                                                                                      Malicious:true
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Entropy (8bit):5.772942751694307
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                      File name:2i85zGtHIl.exe
                                                                                                                                      File size:106496
                                                                                                                                      MD5:5367ca900ff1988ce2ee1c93b241c764
                                                                                                                                      SHA1:9b5ef337871490ed36f31bb18b0b4d318039e23c
                                                                                                                                      SHA256:07bb36227d8121f29c43baae188b43f3d5c4885ef4b20410fca8985235168c68
                                                                                                                                      SHA512:5eea26bb98893617a4fbdaad8cba09d09985170936f340773fab38b656a0ac19ca296a3d6cce2114399affdbd7d1cd4f08a6bc4aedebe4d6c55a5ff4ce841a41
                                                                                                                                      SSDEEP:1536:uUVrk5Rh6BuHDZIzwuZsri/zs/2ZZ8ZZZqa5ZvLAbYpfVxeRKZ3vsS800x:uUVofrHDakuZv/+qU9LQYUlZP
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{K................0.................. ........@.. ....................................@................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x4191ae
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                      Time Stamp:0xA3CD4B7B [Wed Jan 31 04:20:11 2057 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                                      OS Version Major:4
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:4
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:4
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                      popad
                                                                                                                                      add byte ptr [ebp+00h], dh
                                                                                                                                      je 00007F68F066E7A2h
                                                                                                                                      outsd
                                                                                                                                      add byte ptr [esi+00h], ah
                                                                                                                                      imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                      push eax
                                                                                                                                      add byte ptr [edx+00h], dh
                                                                                                                                      outsd
                                                                                                                                      add byte ptr [esi+00h], ah
                                                                                                                                      imul eax, dword ptr [eax], 0065006Ch
                                                                                                                                      jnc 00007F68F066E7A2h
                                                                                                                                      push esp
                                                                                                                                      add byte ptr [edi+00h], ch
                                                                                                                                      je 00007F68F066E7A2h
                                                                                                                                      popad
                                                                                                                                      add byte ptr [eax+eax+20h], ch
                                                                                                                                      add byte ptr [edi+00h], ch
                                                                                                                                      add byte ptr [eax], ah
                                                                                                                                      add byte ptr [edx+00h], dl
                                                                                                                                      inc ecx
                                                                                                                                      add byte ptr [ebp+00h], cl
                                                                                                                                      and eax, 53005500h
                                                                                                                                      add byte ptr [ebp+00h], al
                                                                                                                                      push edx
                                                                                                                                      add byte ptr [eax+00h], dl
                                                                                                                                      inc ebp
                                                                                                                                      add byte ptr [esi+00h], ch
                                                                                                                                      jbe 00007F68F066E7A2h
                                                                                                                                      imul eax, dword ptr [eax], 006F0072h
                                                                                                                                      outsb
                                                                                                                                      add byte ptr [ebp+00h], ch
                                                                                                                                      add byte ptr [esi+00h], ch
                                                                                                                                      je 00007F68F066E7A2h
                                                                                                                                      push edx
                                                                                                                                      add byte ptr [edi+00h], cl
                                                                                                                                      inc esi
                                                                                                                                      add byte ptr [ecx+00h], cl
                                                                                                                                      dec esp
                                                                                                                                      add byte ptr [ebp+00h], al
                                                                                                                                      and eax, 41005C00h
                                                                                                                                      add byte ptr [eax+00h], dh
                                                                                                                                      jo 00007F68F066E7A2h
                                                                                                                                      inc esp
                                                                                                                                      add byte ptr [ebp+00h], al
                                                                                                                                      outsb
                                                                                                                                      add byte ptr [esi+00h], dh
                                                                                                                                      imul eax, dword ptr [eax], 006F0072h
                                                                                                                                      outsb
                                                                                                                                      add byte ptr [ebp+00h], ch
                                                                                                                                      add byte ptr [esi+00h], ch
                                                                                                                                      je 00007F68F066E7A2h
                                                                                                                                      popad
                                                                                                                                      add byte ptr [eax+eax+61h], dh
                                                                                                                                      add byte ptr [eax+eax+52h], bl
                                                                                                                                      add byte ptr [edi+00h], ch
                                                                                                                                      popad
                                                                                                                                      add byte ptr [ebp+00h], al
                                                                                                                                      outsb
                                                                                                                                      add byte ptr [esi+00h], dh
                                                                                                                                      imul eax, dword ptr [eax], 006F0072h
                                                                                                                                      outsb
                                                                                                                                      add byte ptr [ebp+00h], ch
                                                                                                                                      add byte ptr [esi+00h], ch
                                                                                                                                      je 00007F68F066E7A2h
                                                                                                                                      insd
                                                                                                                                      add byte ptr [ecx+00h], ch
                                                                                                                                      outsb
                                                                                                                                      add byte ptr [edi+00h], ah
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      inc ecx
                                                                                                                                      add byte ptr [eax+00h], dh
                                                                                                                                      jo 00007F68F066E7A2h
                                                                                                                                      inc esp
                                                                                                                                      add byte ptr [ecx+00h], ah

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1915c0x4f.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x4cc.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e0000xc.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x191400x1c.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x20000x18d840x19000False0.4330859375data5.88115313974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0x1c0000x4cc0x800False0.2822265625data2.97023887572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x1e0000xc0x400False0.025390625data0.0558553080537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                      RT_VERSION0x1c0900x23cdata
                                                                                                                                      RT_MANIFEST0x1c2dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                      Version Infos

                                                                                                                                      DescriptionData
                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                      LegalCopyright
                                                                                                                                      Assembly Version0.0.0.0
                                                                                                                                      InternalNameDare.exe
                                                                                                                                      FileVersion0.0.0.0
                                                                                                                                      ProductVersion0.0.0.0
                                                                                                                                      FileDescription
                                                                                                                                      OriginalFilenameDare.exe

                                                                                                                                      Network Behavior

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Dec 30, 2021 06:08:10.665811062 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:10.714127064 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:10.714404106 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:11.028286934 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:11.078413010 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:11.127804995 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:11.760118008 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:11.811080933 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:11.862210989 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:18.257468939 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:18.310621023 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:18.310684919 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:18.310722113 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:18.310745001 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:18.362750053 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:22.598515987 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:22.652406931 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:22.681133032 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:22.730480909 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:22.751888990 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:22.801331043 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:22.805008888 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:22.854521036 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:22.874481916 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:22.923437119 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:22.950213909 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.000052929 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.011814117 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.060239077 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.063551903 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.112391949 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.160039902 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.215509892 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.263454914 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.264210939 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.316293955 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.398938894 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.448717117 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.503820896 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.509259939 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.559390068 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.579551935 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:23.628525019 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:23.675720930 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:24.824094057 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:24.874653101 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:24.892127037 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:24.942193031 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:24.983618975 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.031855106 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.032011986 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.033226967 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.082075119 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.787935019 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836159945 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836209059 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836235046 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836261988 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836288929 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836312056 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836375952 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836402893 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836405039 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836437941 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836464882 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836519003 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836596966 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836596966 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836627007 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836683035 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836873055 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836925030 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.836951971 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.836986065 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.885158062 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.885205984 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.885386944 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.885626078 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.886082888 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.886174917 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.886298895 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.886480093 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.886758089 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.886869907 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.887157917 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.887250900 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.887345076 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.887442112 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.887530088 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.887594938 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.887667894 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.887751102 CET4975031440192.168.2.345.150.67.151
                                                                                                                                      Dec 30, 2021 06:08:25.933392048 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.933439970 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.933465004 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.933614016 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.933645010 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.933671951 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.933757067 CET314404975045.150.67.151192.168.2.3
                                                                                                                                      Dec 30, 2021 06:08:25.933885098 CET314404975045.150.67.151192.168.2.3

                                                                                                                                      Code Manipulations

                                                                                                                                      Statistics

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: 2i85zGtHIl.exe PID: 4972 Parent PID: 5012

                                                                                                                                      General

                                                                                                                                      Start time:06:08:02
                                                                                                                                      Start date:30/12/2021
                                                                                                                                      Path:C:\Users\user\Desktop\2i85zGtHIl.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\2i85zGtHIl.exe"
                                                                                                                                      Imagebase:0x7a0000
                                                                                                                                      File size:106496 bytes
                                                                                                                                      MD5 hash:5367CA900FF1988CE2EE1C93B241C764
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.327925997.00000000007A2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000000.275405145.00000000007A2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.329114422.0000000002B20000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >