Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report xD2TnigEaY

Overview

General Information

Sample Name:xD2TnigEaY (renamed file extension from none to exe)
Analysis ID:553367
MD5:07dd723a06bb89dc1bdce3cc56f1cf20
SHA1:d36a56e3aa33c602cbb405dc6dd7425e17cf4672
SHA256:d56f880cb8c35e66750faa6ae9284f0eb2383cec287e8cef4f85122fe90d4305
Tags:32exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to steal Crypto Currency Wallets
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Is looking for software installed on the system
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Binary contains a suspicious time stamp
Detected potential crypto function
Yara detected Credential Stealer
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • xD2TnigEaY.exe (PID: 5128 cmdline: "C:\Users\user\Desktop\xD2TnigEaY.exe" MD5: 07DD723A06BB89DC1BDCE3CC56F1CF20)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["208.167.249.72:2943"], "Bot Id": "Result"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
xD2TnigEaY.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.341469282.00000000001E2000.00000002.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.397709229.00000000001E2000.00000002.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: xD2TnigEaY.exe PID: 5128JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.xD2TnigEaY.exe.1e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.0.xD2TnigEaY.exe.1e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: xD2TnigEaY.exeAvira: detected
                    Found malware configurationShow sources
                    Source: 0.2.xD2TnigEaY.exe.1e0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["208.167.249.72:2943"], "Bot Id": "Result"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: xD2TnigEaY.exeVirustotal: Detection: 65%Perma Link
                    Source: xD2TnigEaY.exeReversingLabs: Detection: 83%
                    Antivirus detection for URL or domainShow sources
                    Source: http://tempuri.org/Entity/Id22ResponseH0fAvira URL Cloud: Label: phishing
                    Machine Learning detection for sampleShow sources
                    Source: xD2TnigEaY.exeJoe Sandbox ML: detected
                    Source: xD2TnigEaY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: xD2TnigEaY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: global trafficTCP traffic: 192.168.2.6:49758 -> 208.167.249.72:2943
                    Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.167.249.72
                    Source: xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseH0f
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4yT
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: xD2TnigEaY.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                    Source: xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                    Source: xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: xD2TnigEaY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: xD2TnigEaY.exe, 00000000.00000000.341485356.00000000001FC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBiphenyl.exe4 vs xD2TnigEaY.exe
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs xD2TnigEaY.exe
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs xD2TnigEaY.exe
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\040904B0\\OriginalFilename vs xD2TnigEaY.exe
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs xD2TnigEaY.exe
                    Source: xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs xD2TnigEaY.exe
                    Source: xD2TnigEaY.exeBinary or memory string: OriginalFilenameBiphenyl.exe4 vs xD2TnigEaY.exe
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeCode function: 0_2_0091EC28
                    Source: xD2TnigEaY.exeVirustotal: Detection: 65%
                    Source: xD2TnigEaY.exeReversingLabs: Detection: 83%
                    Source: xD2TnigEaY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                    Source: xD2TnigEaY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: xD2TnigEaY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: xD2TnigEaY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeCode function: 0_2_00913C58 push esp; iretd
                    Source: xD2TnigEaY.exeStatic PE information: 0xB1F9532C [Thu Aug 14 02:36:28 2064 UTC]
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWindow / User API: threadDelayed 760
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWindow / User API: threadDelayed 3053
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exe TID: 5040Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exe TID: 1684Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Users\user\Desktop\xD2TnigEaY.exe VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected RedLine StealerShow sources
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: xD2TnigEaY.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.xD2TnigEaY.exe.1e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.xD2TnigEaY.exe.1e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.341469282.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.397709229.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xD2TnigEaY.exe PID: 5128, type: MEMORYSTR
                    Tries to steal Crypto Currency WalletsShow sources
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: m4C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: m-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                    Source: xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: m8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\Desktop\xD2TnigEaY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: Yara matchFile source: 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xD2TnigEaY.exe PID: 5128, type: MEMORYSTR

                    Remote Access Functionality:

                    barindex
                    Yara detected RedLine StealerShow sources
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: xD2TnigEaY.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.xD2TnigEaY.exe.1e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.xD2TnigEaY.exe.1e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.341469282.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.397709229.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xD2TnigEaY.exe PID: 5128, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation221Path InterceptionPath InterceptionMasquerading1OS Credential Dumping1Security Software Discovery22Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery11Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion231Security Account ManagerVirtualization/Sandbox Evasion231SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    xD2TnigEaY.exe65%VirustotalBrowse
                    xD2TnigEaY.exe84%ReversingLabsByteCode-MSIL.Infostealer.RedLine
                    xD2TnigEaY.exe100%AviraHEUR/AGEN.1145065
                    xD2TnigEaY.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.2.xD2TnigEaY.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1145065Download File
                    0.0.xD2TnigEaY.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1145065Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://service.r0%URL Reputationsafe
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://support.a0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://tempuri.org/Entity/Id230%URL Reputationsafe
                    http://tempuri.org/Entity/Id240%URL Reputationsafe
                    http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://forms.rea0%URL Reputationsafe
                    http://tempuri.org/Entity/Id22ResponseH0f100%Avira URL Cloudphishing
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabxD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpfalse
                          		high
                          http://service.rxD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpfalse
                              		high
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/Entity/Id2ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id7xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                          		high
                                          https://support.google.com/chrome/?p=plugin_realxD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id19ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.interoperabilitybridges.com/wmp-extension-for-chromexD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencexD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://support.google.com/chrome/?p=plugin_pdfxD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15ResponsexD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://forms.real.com/real/realone/download.html?type=rpsp_usxD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://support.axD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id6ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://api.ip.sb/ipxD2TnigEaY.exefalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exexD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://support.google.com/chrome/?p=plugin_quicktimexD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/04/scxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id9ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=xD2TnigEaY.exe, 00000000.00000002.399003702.0000000002A02000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399331879.0000000002B1D000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399057998.0000000002A28000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399691160.0000000003695000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000003.393215328.0000000003A80000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399137901.0000000002A3F000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.400523351.0000000003BF7000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id20xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399932623.0000000003812000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id21xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id22xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id23xD2TnigEaY.exe, 00000000.00000002.398707670.00000000027F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id24xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id24ResponsexD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id1ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedxD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressingxD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://support.google.com/chrome/?p=plugin_shockwavexD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://forms.reaxD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id22ResponseH0fxD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmptrue
                                                                                                              • Avira URL Cloud: phishing
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trustxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id10xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id11xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id12xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id16ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id13xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id14xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id15xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id16xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/NoncexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id17xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id18xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id5ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id19xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultDxD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsxD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id10ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id8ResponsexD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://support.google.com/chrome/?p=plugin_wmpxD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0xD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://support.google.com/chrome/answer/6258784xD2TnigEaY.exe, 00000000.00000002.398891372.0000000002929000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399537054.0000000002BE4000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399395155.0000000002B33000.00000004.00000001.sdmp, xD2TnigEaY.exe, 00000000.00000002.399225008.0000000002A72000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityxD2TnigEaY.exe, 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/soap/envelope/xD2TnigEaY.exe, 00000000.00000002.398534223.0000000002661000.00000004.00000001.sdmpfalse
                                                                                                                                            		high

                                                                                                                                            Contacted IPs

                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs

                                                                                                                                            Public

                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            208.167.249.72
                                                                                                                                            		unknownUnited States
                                                                                                                                            		20473AS-CHOOPAUStrue

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                            Analysis ID:553367
                                                                                                                                            Start date:14.01.2022
                                                                                                                                            Start time:19:07:32
                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 6m 56s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:light
                                                                                                                                            Sample file name:xD2TnigEaY (renamed file extension from none to exe)
                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                            Number of analysed new started processes analysed:23
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • HDC enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                            EGA Information:Failed
                                                                                                                                            HDC Information:
                                                                                                                                            • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                                                                                                                            • Quality average: 24.2%
                                                                                                                                            • Quality standard deviation: 35.4%
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                            • Number of executed functions: 0
                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Adjust boot time
                                                                                                                                            • Enable AMSI
                                                                                                                                            Warnings:
                                                                                                                                            Show All
                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                            • Execution Graph export aborted for target xD2TnigEaY.exe, PID 5128 because it is empty
                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                            Simulations

                                                                                                                                            Behavior and APIs

                                                                                                                                            TimeTypeDescription
                                                                                                                                            19:08:54API Interceptor21x Sleep call for process: xD2TnigEaY.exe modified

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            No context

                                                                                                                                            Domains

                                                                                                                                            No context

                                                                                                                                            ASN

                                                                                                                                            No context

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            No context

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xD2TnigEaY.exe.log
                                                                                                                                            Process:C:\Users\user\Desktop\xD2TnigEaY.exe
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2291
                                                                                                                                            Entropy (8bit):5.3192079301865585
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:MOfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHjHKdHAHDJn:vq5qXAqLqdqUqzcGYqhQnoPtIxHbqoL1
                                                                                                                                            MD5:B8B968C6C5994E11C0AEF299F6CC13DF
                                                                                                                                            SHA1:60351148A0D29E39DF51AE7F8D6DA7653E31BCF9
                                                                                                                                            SHA-256:DD53198266985E5C23239DCDDE91B25CF1FC1F4266B239533C11DDF0EF0F958D
                                                                                                                                            SHA-512:CFBCFCB650EF8C84A4BA005404E90ECAC9E77BDB618F53CD5948C085E44D099183C97C1D818A905B16C5E495FF167BD47347B14670A6E68801B0C01BC264F168
                                                                                                                                            Malicious:true
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                            Entropy (8bit):5.771488269227702
                                                                                                                                            TrID:
                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                            File name:xD2TnigEaY.exe
                                                                                                                                            File size:106496
                                                                                                                                            MD5:07dd723a06bb89dc1bdce3cc56f1cf20
                                                                                                                                            SHA1:d36a56e3aa33c602cbb405dc6dd7425e17cf4672
                                                                                                                                            SHA256:d56f880cb8c35e66750faa6ae9284f0eb2383cec287e8cef4f85122fe90d4305
                                                                                                                                            SHA512:0d031e01c6f19357db61df8801971de597ad50a8a3822232f97b186aada2d7f2e9758d5d6d120b510f8e5eef61cb08020c5d308094a3ccee9364b9c51e8d60ed
                                                                                                                                            SSDEEP:1536:bUVrU5RhoBuHDZATQWxUYlTiF/YuXUrsbYpf8MeRToPvsS800s:bUVIfpHDi0WxVJiHErkz5TRZu
                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,S................0.................. ........@.. ....................................@................................

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:00828e8e8686b000

                                                                                                                                            Static PE Info

                                                                                                                                            General

                                                                                                                                            Entrypoint:0x4191ae
                                                                                                                                            Entrypoint Section:.text
                                                                                                                                            Digitally signed:false
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                            Time Stamp:0xB1F9532C [Thu Aug 14 02:36:28 2064 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                                                                            OS Version Major:4
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:4
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:4
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                            Entrypoint Preview

                                                                                                                                            Instruction
                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                            popad
                                                                                                                                            add byte ptr [ebp+00h], dh
                                                                                                                                            je 00007FE5C4E833B2h
                                                                                                                                            outsd
                                                                                                                                            add byte ptr [esi+00h], ah
                                                                                                                                            imul eax, dword ptr [eax], 006C006Ch
                                                                                                                                            push eax
                                                                                                                                            add byte ptr [edx+00h], dh
                                                                                                                                            outsd
                                                                                                                                            add byte ptr [esi+00h], ah
                                                                                                                                            imul eax, dword ptr [eax], 0065006Ch
                                                                                                                                            jnc 00007FE5C4E833B2h
                                                                                                                                            push esp
                                                                                                                                            add byte ptr [edi+00h], ch
                                                                                                                                            je 00007FE5C4E833B2h
                                                                                                                                            popad
                                                                                                                                            add byte ptr [eax+eax+20h], ch
                                                                                                                                            add byte ptr [edi+00h], ch
                                                                                                                                            add byte ptr [eax], ah
                                                                                                                                            add byte ptr [edx+00h], dl
                                                                                                                                            inc ecx
                                                                                                                                            add byte ptr [ebp+00h], cl
                                                                                                                                            and eax, 53005500h
                                                                                                                                            add byte ptr [ebp+00h], al
                                                                                                                                            push edx
                                                                                                                                            add byte ptr [eax+00h], dl
                                                                                                                                            inc ebp
                                                                                                                                            add byte ptr [esi+00h], ch
                                                                                                                                            jbe 00007FE5C4E833B2h
                                                                                                                                            imul eax, dword ptr [eax], 006F0072h
                                                                                                                                            outsb
                                                                                                                                            add byte ptr [ebp+00h], ch
                                                                                                                                            add byte ptr [esi+00h], ch
                                                                                                                                            je 00007FE5C4E833B2h
                                                                                                                                            push edx
                                                                                                                                            add byte ptr [edi+00h], cl
                                                                                                                                            inc esi
                                                                                                                                            add byte ptr [ecx+00h], cl
                                                                                                                                            dec esp
                                                                                                                                            add byte ptr [ebp+00h], al
                                                                                                                                            and eax, 41005C00h
                                                                                                                                            add byte ptr [eax+00h], dh
                                                                                                                                            jo 00007FE5C4E833B2h
                                                                                                                                            inc esp
                                                                                                                                            add byte ptr [ebp+00h], al
                                                                                                                                            outsb
                                                                                                                                            add byte ptr [esi+00h], dh
                                                                                                                                            imul eax, dword ptr [eax], 006F0072h
                                                                                                                                            outsb
                                                                                                                                            add byte ptr [ebp+00h], ch
                                                                                                                                            add byte ptr [esi+00h], ch
                                                                                                                                            je 00007FE5C4E833B2h
                                                                                                                                            popad
                                                                                                                                            add byte ptr [eax+eax+61h], dh
                                                                                                                                            add byte ptr [eax+eax+52h], bl
                                                                                                                                            add byte ptr [edi+00h], ch
                                                                                                                                            popad
                                                                                                                                            add byte ptr [ebp+00h], al
                                                                                                                                            outsb
                                                                                                                                            add byte ptr [esi+00h], dh
                                                                                                                                            imul eax, dword ptr [eax], 006F0072h
                                                                                                                                            outsb
                                                                                                                                            add byte ptr [ebp+00h], ch
                                                                                                                                            add byte ptr [esi+00h], ch
                                                                                                                                            je 00007FE5C4E833B2h
                                                                                                                                            insd
                                                                                                                                            add byte ptr [ecx+00h], ch
                                                                                                                                            outsb
                                                                                                                                            add byte ptr [edi+00h], ah
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            inc ecx
                                                                                                                                            add byte ptr [eax+00h], dh
                                                                                                                                            jo 00007FE5C4E833B2h
                                                                                                                                            inc esp
                                                                                                                                            add byte ptr [ecx+00h], ah

                                                                                                                                            Data Directories

                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1915c0x4f.text
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x4dc.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e0000xc.reloc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x191400x1c.text
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                            Sections

                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            .text0x20000x18d840x19000False0.43318359375data5.87919002445IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                            .rsrc0x1c0000x4dc0x800False0.2841796875data2.99852033217IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .reloc0x1e0000xc0x400False0.025390625data0.0558553080537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                            Resources

                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                            RT_VERSION0x1c0900x24cdata
                                                                                                                                            RT_MANIFEST0x1c2ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                            Imports

                                                                                                                                            DLLImport
                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                            Version Infos

                                                                                                                                            DescriptionData
                                                                                                                                            Translation0x0000 0x04b0
                                                                                                                                            LegalCopyright
                                                                                                                                            Assembly Version0.0.0.0
                                                                                                                                            InternalNameBiphenyl.exe
                                                                                                                                            FileVersion0.0.0.0
                                                                                                                                            ProductVersion0.0.0.0
                                                                                                                                            FileDescription
                                                                                                                                            OriginalFilenameBiphenyl.exe

                                                                                                                                            Network Behavior

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Jan 14, 2022 19:08:39.704179049 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:39.806344986 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:39.806483030 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:40.139121056 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:40.242077112 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:40.293113947 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:41.254631042 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:41.359790087 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:41.481159925 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:47.804213047 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:47.913950920 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:47.913996935 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:47.914026022 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:47.914129972 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:47.965620995 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:51.289343119 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:51.395407915 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:51.399336100 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:51.502145052 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:51.533360004 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:51.636004925 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:51.684915066 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:51.712976933 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:51.822846889 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:51.850059986 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:51.955535889 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:51.997251987 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.098799944 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.201138973 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:52.201544046 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:52.217940092 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.321124077 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:52.357084036 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.459476948 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:52.465296030 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.567934990 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:52.569504023 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.672255039 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:52.716039896 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.747411013 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:52.850101948 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:52.901273966 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.206932068 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.308820009 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.308845997 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.308936119 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.308996916 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.309159994 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.309204102 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.309217930 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.309242964 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.309289932 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.309323072 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.410912991 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.410953045 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.410978079 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.410999060 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.411039114 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.411068916 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.411153078 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.411197901 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.411250114 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.411276102 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.411315918 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.411422014 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.424961090 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513025999 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513045073 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513056993 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513068914 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513128996 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513139963 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513410091 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513422012 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513525963 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.513528109 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513540030 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513603926 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.513619900 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.513652086 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513664961 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513894081 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.513906002 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.514249086 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.514328957 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.514358997 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.514370918 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.514585018 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.515120983 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.515191078 CET497582943192.168.2.6208.167.249.72
                                                                                                                                            Jan 14, 2022 19:08:53.615264893 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.615289927 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.615370035 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.615539074 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.615555048 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.615823030 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.615843058 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.615859985 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.616053104 CET294349758208.167.249.72192.168.2.6
                                                                                                                                            Jan 14, 2022 19:08:53.616071939 CET294349758208.167.249.72192.168.2.6

                                                                                                                                            Code Manipulations

                                                                                                                                            Statistics

                                                                                                                                            System Behavior

                                                                                                                                            Analysis Process: xD2TnigEaY.exe PID: 5128 Parent PID: 5772

                                                                                                                                            General

                                                                                                                                            Start time:19:08:30
                                                                                                                                            Start date:14/01/2022
                                                                                                                                            Path:C:\Users\user\Desktop\xD2TnigEaY.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\Desktop\xD2TnigEaY.exe"
                                                                                                                                            Imagebase:0x1e0000
                                                                                                                                            File size:106496 bytes
                                                                                                                                            MD5 hash:07DD723A06BB89DC1BDCE3CC56F1CF20
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.341469282.00000000001E2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.397709229.00000000001E2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.398592673.00000000026F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            Reputation:low

                                                                                                                                            Disassembly

                                                                                                                                            Code Analysis

                                                                                                                                            Reset < >