Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe

Overview

General Information

Sample Name:4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
Analysis ID:831176
MD5:f8e0e6946af017037e8bb4d5455d4e99
SHA1:6691a0d551c3991fbe5f18147711e829616099bb
SHA256:4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.12.253.144:40145"], "Authorization Header": "6528d0f243ad9e530a68f2a487521a80"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1bc0:$pat14: , CommandLine:
  • 0x2c89f:$v2_1: ListOfProcesses
  • 0x2c673:$v4_3: base64str
  • 0x2d278:$v4_4: stringKey
  • 0x2ae26:$v4_5: BytesToStringConverted
  • 0x2a018:$v4_6: FromBase64
  • 0x2b379:$v4_8: procName
  • 0x2bb86:$v5_5: FileScanning
  • 0x2b035:$v5_7: RecordHeaderField
  • 0x2acd6:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe PID: 5984JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe PID: 5984JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe.110000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1bc0:$pat14: , CommandLine:
                • 0x2c89f:$v2_1: ListOfProcesses
                • 0x2c673:$v4_3: base64str
                • 0x2d278:$v4_4: stringKey
                • 0x2ae26:$v4_5: BytesToStringConverted
                • 0x2a018:$v4_6: FromBase64
                • 0x2b379:$v4_8: procName
                • 0x2bb86:$v5_5: FileScanning
                • 0x2b035:$v5_7: RecordHeaderField
                • 0x2acd6:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.345.12.253.14449684401452043231 03/21/23-08:17:29.178532
                SID:2043231
                Source Port:49684
                Destination Port:40145
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:45.12.253.144192.168.2.340145496842043234 03/21/23-08:17:12.348374
                SID:2043234
                Source Port:40145
                Destination Port:49684
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.345.12.253.14449684401452043233 03/21/23-08:17:10.969942
                SID:2043233
                Source Port:49684
                Destination Port:40145
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeReversingLabs: Detection: 71%
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeVirustotal: Detection: 54%Perma Link
                Antivirus / Scanner detection for submitted sample
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeAvira: detected
                Antivirus detection for URL or domain
                Source: 45.12.253.144:40145Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: 45.12.253.144:40145Virustotal: Detection: 18%Perma Link
                Machine Learning detection for sample
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeJoe Sandbox ML: detected
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeMalware Configuration Extractor: RedLine {"C2 url": ["45.12.253.144:40145"], "Authorization Header": "6528d0f243ad9e530a68f2a487521a80"}
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49684 -> 45.12.253.144:40145
                Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49684 -> 45.12.253.144:40145
                Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 45.12.253.144:40145 -> 192.168.2.3:49684
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 45.12.253.144:40145
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: global trafficTCP traffic: 192.168.2.3:49684 -> 45.12.253.144:40145
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.144
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultH
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.0.4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.0.4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B140A8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B12820
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B13288
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B19BF0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B10448
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B11F18
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B12810
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B189E8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B189D8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B16130
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B16121
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B11287
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B15AE0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B11319
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B16368
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B11358
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B16CAA
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B16CF0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B10402
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B16590
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B16581
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_023632C3
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02362B68
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_023653A0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02360040
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_023648B8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02361FD8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0236556E
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02360DE0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02362B58
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02365390
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02360006
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_023648A9
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02363930
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02363E28
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02363E19
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_023607D0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_023607C0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02361FC8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_02360DD0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04983DA8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498AD38
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049827E8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049897E0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498D728
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04983018
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498C870
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049809C8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498F110
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04986A08
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498A4B3
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04980CF8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04980CEA
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04984412
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498E449
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04983D9E
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04989DF4
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498A5EB
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04984536
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498AD28
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498A69A
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04989E8C
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498A685
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04989E09
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498A600
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04989E77
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049847A0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049827D8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049897D0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498D718
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04989F1D
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04989F12
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04989F14
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049870F8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498D0F0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498D0E1
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04983008
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498C860
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049809B9
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_049869F8
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498F101
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498DA88
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04982A8F
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498434D
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A414A4
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A414CF
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A48448
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A48458
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A4469B
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A436E1
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A436F0
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A406FF
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A4461B
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A40007
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A40040
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A4026A
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A45251
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A473EA
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A41370
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A4137C
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A47C88
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A40C3A
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A49C08
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A42C19
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A47C78
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A44D88
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A44D98
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A40D74
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A40D76
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A40D7F
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A45807
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A45818
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A42A18
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A43A60
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A43A50
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A45BF9
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A49BFA
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A48B00
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000000.243013701.0000000000156000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAbettals.exe< vs 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeBinary or memory string: OriginalFilenameAbettals.exe< vs 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeReversingLabs: Detection: 71%
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeVirustotal: Detection: 54%
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002818000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000043BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000282C000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002795000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000431B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000436C000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000027A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_00B182A6 push cs; iretd
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498BDD3 pushfd ; ret
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498B961 push edx; iretd
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_0498C3A3 pushfd ; ret
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeCode function: 0_2_04A46988 push es; ret
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeStatic PE information: 0x992E39FC [Fri Jun 9 17:12:28 2051 UTC]
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe TID: 4632Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe TID: 5760Thread sleep count: 3199 > 30
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe TID: 6004Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWindow / User API: threadDelayed 3199
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeMemory allocated: page read and write | page guard
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000003.304042575.0000000000847000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6)\IRGlphsqlRTeevjRsJJWeDLvLwNCvdRczSXmjNIVoXDyneQramFiles%\Windows Defender\MsMpeng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe PID: 5984, type: MEMORYSTR
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: Yara matchFile source: 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe PID: 5984, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe PID: 5984, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts221
                Windows Management Instrumentation                		Path InterceptionPath Interception1
                Masquerading                		1
                OS Credential Dumping                		23
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		LSASS Memory11
                Process Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)231
                Virtualization/Sandbox Evasion                		Security Account Manager231
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Obfuscated Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets123
                System Information Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe72%ReversingLabsByteCode-MSIL.Spyware.RedLine
                4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe54%VirustotalBrowse
                4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe100%AviraHEUR/AGEN.1203040
                4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.0.4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe.110000.0.unpack100%AviraHEUR/AGEN.1203040Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                http://tempuri.org/0%URL Reputationsafe
                http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id90%URL Reputationsafe
                http://tempuri.org/Entity/Id80%URL Reputationsafe
                http://tempuri.org/Entity/Id80%URL Reputationsafe
                http://tempuri.org/Entity/Id50%URL Reputationsafe
                http://tempuri.org/Entity/Id40%URL Reputationsafe
                http://tempuri.org/Entity/Id70%URL Reputationsafe
                http://tempuri.org/Entity/Id60%URL Reputationsafe
                http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                https://api.ip.sb/ip0%URL Reputationsafe
                http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id200%URL Reputationsafe
                http://tempuri.org/Entity/Id210%URL Reputationsafe
                http://tempuri.org/Entity/Id220%URL Reputationsafe
                http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id100%URL Reputationsafe
                http://tempuri.org/Entity/Id110%URL Reputationsafe
                http://tempuri.org/Entity/Id120%URL Reputationsafe
                http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id130%URL Reputationsafe
                http://tempuri.org/Entity/Id140%URL Reputationsafe
                http://tempuri.org/Entity/Id150%URL Reputationsafe
                http://tempuri.org/Entity/Id160%URL Reputationsafe
                http://tempuri.org/Entity/Id170%URL Reputationsafe
                http://tempuri.org/Entity/Id180%URL Reputationsafe
                http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id190%URL Reputationsafe
                http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
                http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
                45.12.253.144:40145100%Avira URL Cloudmalware
                45.12.253.144:4014519%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                45.12.253.144:40145true
                • 19%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sct4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtab4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/ac/?q=4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id2Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha14f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id21Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id94f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id84f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id54f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id44f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id74f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id64f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/fault4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id15Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id6Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.ip.sb/ip4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/sc4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id9Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id204f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id214f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id224f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA14f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA14f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id1Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id104f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id114f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id124f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id134f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id144f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id154f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultH4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id164f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id174f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id184f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id5Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id194f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id10Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Renew4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id8Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000267D000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.04f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentity4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://search.yahoo.com?fr=crmas_sfpf4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005331000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054C7000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.0000000004422000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.000000000443F000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002670000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.0000000005449000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.00000000054AA000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.000000000293B000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000534E000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.311064253.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.322993673.000000000542C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA14f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/06/addressingex4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id17Response4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ15104f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe, 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  45.12.253.144
                                                                                                                                                  		unknownGermany
                                                                                                                                                  		33657CMCSUStrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:37.0.0 Beryl
                                                                                                                                                  Analysis ID:831176
                                                                                                                                                  Start date and time:2023-03-21 08:16:08 +01:00
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 5m 27s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:13
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample file name:4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  HDC Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 90%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 209.197.3.8
                                                                                                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  08:17:26API Interceptor17x Sleep call for process: 4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2843
                                                                                                                                                  Entropy (8bit):5.3371553026862095
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx1qHjC:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxw
                                                                                                                                                  MD5:3CF15F26423086F7633BB4066F6D1128
                                                                                                                                                  SHA1:009194C567E122B6CBB9BFC45FD854BA30433C43
                                                                                                                                                  SHA-256:28279AEAD69778149C740526EF13D927FF69632B69B5F1759E6C697720D9D413
                                                                                                                                                  SHA-512:14FD6C0CDF9CDE9B651DF4420DD81F847288C5534F5DDC9773DA9B80B49B15BCE7C804E3DB9819CACF9C09CAADEE75812F43A897F8C678E3650CF46107E24AF9
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Entropy (8bit):5.718977884670442
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                  File name:4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                                                                                                                                                  File size:344064
                                                                                                                                                  MD5:f8e0e6946af017037e8bb4d5455d4e99
                                                                                                                                                  SHA1:6691a0d551c3991fbe5f18147711e829616099bb
                                                                                                                                                  SHA256:4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e
                                                                                                                                                  SHA512:f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93
                                                                                                                                                  SSDEEP:6144:/9iSw0wGzCUaIgYH/BwjL4rEwgGCHNUqsVwMS5ZVU3mgswg1st8WDx:/9iOZCUaKHFfVwMS5ZVU3mgswg1st8W9
                                                                                                                                                  TLSH:2F7409887670FD9EC857C47F8A581C24A6636466570BA203B05317ED9A3DB9BFE130B3
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9................0..,...........J... ...`....@.. ....................................@................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:c883b69c94a283c8

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x444aee
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x992E39FC [Fri Jun 9 17:12:28 2051 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:4
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:4
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x44aa00x4b.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x10f1e.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x580000xc.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x20000x42af40x42c00False0.46471939372659177data6.069210974476297IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rsrc0x460000x10f1e0x11000False0.06509937959558823data2.4874198018197604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x580000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                  RT_ICON0x461300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m
                                                                                                                                                  RT_GROUP_ICON0x569580x14data
                                                                                                                                                  RT_VERSION0x5696c0x3c8data
                                                                                                                                                  RT_MANIFEST0x56d340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  192.168.2.345.12.253.14449684401452043231 03/21/23-08:17:29.178532TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4968440145192.168.2.345.12.253.144
                                                                                                                                                  45.12.253.144192.168.2.340145496842043234 03/21/23-08:17:12.348374TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response401454968445.12.253.144192.168.2.3
                                                                                                                                                  192.168.2.345.12.253.14449684401452043233 03/21/23-08:17:10.969942TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init4968440145192.168.2.345.12.253.144

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Mar 21, 2023 08:17:10.665235043 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:10.692508936 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:10.692722082 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:10.969942093 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:10.997829914 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:11.051953077 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:12.318656921 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:12.348373890 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:12.395819902 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:19.190418005 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:19.220309973 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:19.220379114 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:19.220432043 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:19.220479012 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:19.275690079 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:21.834667921 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:21.862983942 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:21.996613979 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.038592100 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.066274881 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.198462963 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.670684099 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.699497938 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.699742079 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.726485014 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.726536036 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.726632118 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.726632118 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.726902008 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.726939917 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.726974010 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.726999998 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727008104 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.727042913 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.727046013 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727077961 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.727103949 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727103949 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727113962 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.727139950 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727164984 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727164984 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727195024 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727204084 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.727278948 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.727343082 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.727425098 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.753403902 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.753571033 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.753567934 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.753679991 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.753784895 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.753820896 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.753865004 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.753901958 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.753915071 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754000902 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.754158020 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754194975 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754232883 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.754281998 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.754287004 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754374981 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754380941 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.754458904 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.754472971 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754581928 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754622936 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754657984 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754812002 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.754920006 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.754982948 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.755063057 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.755095959 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.755130053 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.755148888 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.755148888 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.755208969 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.755208969 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.755420923 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.755459070 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.755531073 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.755531073 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.755577087 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.780391932 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.780442953 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.780493021 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.780596972 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.780596972 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.780704975 CET4968440145192.168.2.345.12.253.144
                                                                                                                                                  Mar 21, 2023 08:17:22.780730963 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.780901909 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.781301975 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.781333923 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.781534910 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.781945944 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.781982899 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.782016039 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.782073021 CET401454968445.12.253.144192.168.2.3
                                                                                                                                                  Mar 21, 2023 08:17:22.782223940 CET401454968445.12.253.144192.168.2.3

                                                                                                                                                  Statistics

                                                                                                                                                  No statistics

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:08:17:00
                                                                                                                                                  Start date:21/03/2023
                                                                                                                                                  Path:C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\user\Desktop\4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f3.exe
                                                                                                                                                  Imagebase:0x110000
                                                                                                                                                  File size:344064 bytes
                                                                                                                                                  MD5 hash:F8E0E6946AF017037E8BB4D5455D4E99
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.307048446.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.307048446.0000000002573000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low

                                                                                                                                                  Disassembly

                                                                                                                                                  No disassembly