Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UniverseCity.exe

Overview

General Information

Sample Name:UniverseCity.exe
Analysis ID:753417
MD5:2815815f0488b3d2307c3a914ddc1d7a
SHA1:c5845c0c743106ac27622d32689a24e2f52a9ab7
SHA256:14b87b3a9eb96e080373e2a7203b664b63cec8cc163bbd10b028ecf5441f7f67
Tags:185-206-213-32CosmicWayexeFakeGaliXCityRedLineStealerUniverseCity
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to steal Crypto Currency Wallets
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • UniverseCity.exe (PID: 3836 cmdline: C:\Users\user\Desktop\UniverseCity.exe MD5: 2815815F0488B3D2307C3A914DDC1D7A)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "185.206.213.32:42794", "Bot Id": "110", "Authorization Header": "e47b0f61fb0cc49a8eafd0acb2a1befc"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: UniverseCity.exe PID: 3836JoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: UniverseCity.exe PID: 3836JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.4185.206.213.3249696427942850286 11/24/22-19:43:22.900750
          SID:2850286
          Source Port:49696
          Destination Port:42794
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.4185.206.213.3249696427942850027 11/24/22-19:43:19.130595
          SID:2850027
          Source Port:49696
          Destination Port:42794
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:185.206.213.32192.168.2.442794496962850353 11/24/22-19:43:20.869342
          SID:2850353
          Source Port:42794
          Destination Port:49696
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Machine Learning detection for sample
          Source: UniverseCity.exeJoe Sandbox ML: detected
          Source: 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.206.213.32:42794", "Bot Id": "110", "Authorization Header": "e47b0f61fb0cc49a8eafd0acb2a1befc"}
          Source: UniverseCity.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
          Source: Binary string: _.pdb source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.390918451.0000000003200000.00000004.08000000.00040000.00000000.sdmp

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 185.206.213.32:42794 -> 192.168.2.4:49696
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 185.206.213.32:42794
          Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
          Source: global trafficTCP traffic: 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
          Source: UniverseCity.exe, 00000000.00000003.378699909.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.389446590.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000003.378769956.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultx
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyl
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response/E
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
          Source: UniverseCity.exe, 00000000.00000002.393376642.00000000035DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: UniverseCity.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ll,\\StringFileInfo\\040904B0\\OriginalFilename vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000000.296301490.0000000000DDE000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePanApi.dllR vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000003.299643414.0000000002B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.390918451.0000000003200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.401001416.0000000005A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.379182526.0000000000460000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.397483671.0000000004415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exeBinary or memory string: OriginalFilenamePanApi.dllR vs UniverseCity.exe
          Source: C:\Users\user\Desktop\UniverseCity.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
          Source: C:\Users\user\Desktop\UniverseCity.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
          Source: C:\Users\user\Desktop\UniverseCity.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: UniverseCity.exeStatic file information: File size 4881408 > 1048576
          Source: UniverseCity.exeStatic PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x48f400
          Source: Binary string: _.pdb source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.390918451.0000000003200000.00000004.08000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\UniverseCity.exeUnpacked PE file: 0.2.UniverseCity.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: UniverseCity.exeStatic PE information: section name: .MPRESS1
          Source: UniverseCity.exeStatic PE information: section name: .MPRESS2
          Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
          Source: UniverseCity.exeStatic PE information: real checksum: 0x4aec6e should be: 0x4b7344
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\UniverseCity.exeSystem information queried: FirmwareTableInformationJump to behavior
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
          Source: C:\Users\user\Desktop\UniverseCity.exe TID: 5976Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exe TID: 6044Thread sleep count: 9623 > 30Jump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
          Source: C:\Users\user\Desktop\UniverseCity.exeWindow / User API: threadDelayed 9623Jump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeSystem information queried: ModuleInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\UniverseCity.exeThread information set: HideFromDebuggerJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: gbdyllo
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: ollydbg
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess queried: DebugObjectHandleJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
          Source: UniverseCity.exe, 00000000.00000003.372338284.0000000006E62000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: Process Memory Space: UniverseCity.exe PID: 3836, type: MEMORYSTR
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
          Source: UniverseCity.exe, 00000000.00000002.392906296.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ll1C:\Users\user\AppData\Roaming\Electrum\wallets\*
          Source: UniverseCity.exe, 00000000.00000002.396262228.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ll-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
          Source: UniverseCity.exe, 00000000.00000003.372317962.0000000006EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.jsont
          Source: UniverseCity.exe, 00000000.00000002.392906296.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
          Source: UniverseCity.exe, 00000000.00000002.392906296.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ll5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
          Source: UniverseCity.exe, 00000000.00000002.389953191.0000000002F9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: Yara matchFile source: 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: UniverseCity.exe PID: 3836, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: Process Memory Space: UniverseCity.exe PID: 3836, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts221
          Windows Management Instrumentation          		Path InterceptionPath Interception1
          Masquerading          		1
          OS Credential Dumping          		65
          Security Software Discovery          		Remote Services3
          Data from Local System          		Exfiltration Over Other Network Medium1
          Non-Standard Port          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory11
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)551
          Virtualization/Sandbox Evasion          		Security Account Manager551
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Software Packing          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets124
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          UniverseCity.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://tempuri.org/0%URL Reputationsafe
          http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          https://api.ip.sb/ip0%URL Reputationsafe
          https://api.ip.sb/ip0%URL Reputationsafe
          http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
          http://www.w3.o0%URL Reputationsafe
          http://tempuri.org/Entity/Id10%URL Reputationsafe
          185.206.213.32:427940%VirustotalBrowse
          185.206.213.32:427940%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          185.206.213.32:42794true
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/02/sc/sctUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://duckduckgo.com/chrome_newtabUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id2ResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.c/gUniverseCity.exe, 00000000.00000003.378699909.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.389446590.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000003.378769956.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultxUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsatUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.ip.sb/ipUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/04/scUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id1ResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressingUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trustUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/NonceUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2006/02/addressingidentityUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/soap/envelope/UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://search.yahoo.com?fr=crmas_sfpfUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertylUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/06/addressingexUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoorUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.w3.oUniverseCity.exe, 00000000.00000002.393376642.00000000035DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/CancelUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2002/12/policyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dkUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CommitUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://tempuri.org/Entity/Id1UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                  		unknown

                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                  185.206.213.32
                                                                                                                                                                                                  		unknownUkraine
                                                                                                                                                                                                  		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                                                                                                                                                                                                  General Information

                                                                                                                                                                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                                                                  Analysis ID:753417
                                                                                                                                                                                                  Start date and time:2022-11-24 19:42:09 +01:00
                                                                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                  Overall analysis duration:0h 4m 39s
                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                  Sample file name:UniverseCity.exe
                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                  Number of analysed new started processes analysed:3
                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                  • HDC enabled
                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                                                  HDC Information:Failed
                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                  19:43:25API Interceptor64x Sleep call for process: UniverseCity.exe modified

                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                  IPs

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                  185.206.213.32UniverseCity.exeGet hashmaliciousBrowse

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                    ON-LINE-DATAServerlocation-NetherlandsDrontenNLylH4oB46Ix.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 185.219.80.143
                                                                                                                                                                                                    nSHpm4y7rZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 185.219.80.143
                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 185.219.80.143
                                                                                                                                                                                                    UniverseCity.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 185.206.213.32
                                                                                                                                                                                                    CaPf3oi9pd.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 91.211.251.210
                                                                                                                                                                                                    YYbdfkfZSN.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 77.220.215.34
                                                                                                                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 185.209.22.189
                                                                                                                                                                                                    Installer.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 85.209.89.201
                                                                                                                                                                                                    Setup.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 92.119.112.239
                                                                                                                                                                                                    Impship.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 212.86.102.172
                                                                                                                                                                                                    8F1F865C7A8F3B27E762AF3E954B7D639A209DB960105.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 45.88.106.130
                                                                                                                                                                                                    https://tiktoksx.page.link/JLJfiw3aNzPVbWjQ8Get hashmaliciousBrowse
                                                                                                                                                                                                    • 185.244.218.77
                                                                                                                                                                                                    LCsXOPvcG0.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 92.119.112.239
                                                                                                                                                                                                    4RuLDwhzhg.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 92.119.112.239
                                                                                                                                                                                                    https://pastukhova.com/Get hashmaliciousBrowse
                                                                                                                                                                                                    • 91.228.56.183
                                                                                                                                                                                                    DedexQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 45.14.13.20
                                                                                                                                                                                                    DedexQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 45.14.13.20
                                                                                                                                                                                                    update_2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 45.82.179.76
                                                                                                                                                                                                    DedexQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 45.14.13.20
                                                                                                                                                                                                    update_2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 45.82.179.76

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UniverseCity.exe.log

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\UniverseCity.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2201
                                                                                                                                                                                                    Entropy (8bit):5.326033842196865
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:MIHK5HKXEAHKzvQfHK7HKhBHKdHKBSTHtHmYHKhQnoPtHoxHImHKx1qHAHVHxLH0:Pq5qXLqzAq7qLqdqsNGYqhQnoPtIxHbt
                                                                                                                                                                                                    MD5:9D13095367E03502A903DEBCA7487DF4
                                                                                                                                                                                                    SHA1:75CAC4CD0867B1EF8422118EA22520E546F1C893
                                                                                                                                                                                                    SHA-256:D6C7B642CBA4757549117405242B88C6383A2F555ACD121CC70D6BF604698469
                                                                                                                                                                                                    SHA-512:F61C92128B02D520071F3A271FEF5B847AB58C0F7D53D188EE18504CECD67FCB3F03005130C8240FE7946CAA5F611A443789921DE2E86C70D7A656695B226219
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\Syst

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                    Entropy (8bit):7.993226453571658
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                    File name:UniverseCity.exe
                                                                                                                                                                                                    File size:4881408
                                                                                                                                                                                                    MD5:2815815f0488b3d2307c3a914ddc1d7a
                                                                                                                                                                                                    SHA1:c5845c0c743106ac27622d32689a24e2f52a9ab7
                                                                                                                                                                                                    SHA256:14b87b3a9eb96e080373e2a7203b664b63cec8cc163bbd10b028ecf5441f7f67
                                                                                                                                                                                                    SHA512:bc4e8c73de9a1a6db1984397a3339c62fb03e3bf145e0b2bb66596afa74b5944a73445ec04d5b5613b177e7aed9950408d96cf7481b3f856d76abf338ec1ff49
                                                                                                                                                                                                    SSDEEP:98304:sbtWGDueBJmf8eGjoA120pwKD6rjOXRe3qTZZQlYRpFvGHtGqKpIZ8:nGNO86AEawwNhZzpc8qiA
                                                                                                                                                                                                    TLSH:0D36336EF3D60AB1E45C01B1002E9BCF4B7675071D25DA2ABB4C738D9F72342BE69291
                                                                                                                                                                                                    File Content Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L...t..P..........#.................-.............@..........................`......n.J.........................................0.......tw..........`.d..$.................................

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:c48e0f4f27a6f8f0

                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Entrypoint:0xddd12d
                                                                                                                                                                                                    Entrypoint Section:.MPRESS2
                                                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                    Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                    Import Hash:e045c920c82e7a05da4487cce2e427b2

                                                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                                                    Signature Valid:
                                                                                                                                                                                                    Signature Issuer:
                                                                                                                                                                                                    Signature Validation Error:
                                                                                                                                                                                                    Error Number:
                                                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                                                      Subject Chain
                                                                                                                                                                                                        Version:
                                                                                                                                                                                                        Thumbprint MD5:
                                                                                                                                                                                                        Thumbprint SHA-1:
                                                                                                                                                                                                        Thumbprint SHA-256:
                                                                                                                                                                                                        Serial:

                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                        pushad
                                                                                                                                                                                                        call 00007FE930736655h
                                                                                                                                                                                                        pop eax
                                                                                                                                                                                                        add eax, 00000B5Ah
                                                                                                                                                                                                        mov esi, dword ptr [eax]
                                                                                                                                                                                                        add esi, eax
                                                                                                                                                                                                        sub eax, eax
                                                                                                                                                                                                        mov edi, esi
                                                                                                                                                                                                        lodsw
                                                                                                                                                                                                        shl eax, 0Ch
                                                                                                                                                                                                        mov ecx, eax
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        lodsd
                                                                                                                                                                                                        sub ecx, eax
                                                                                                                                                                                                        add esi, ecx
                                                                                                                                                                                                        mov ecx, eax
                                                                                                                                                                                                        push edi
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        dec ecx
                                                                                                                                                                                                        mov al, byte ptr [ecx+edi+06h]
                                                                                                                                                                                                        mov byte ptr [ecx+esi], al
                                                                                                                                                                                                        jne 00007FE930736648h
                                                                                                                                                                                                        sub eax, eax
                                                                                                                                                                                                        lodsb
                                                                                                                                                                                                        mov ecx, eax
                                                                                                                                                                                                        and cl, FFFFFFF0h
                                                                                                                                                                                                        and al, 0Fh
                                                                                                                                                                                                        shl ecx, 0Ch
                                                                                                                                                                                                        mov ch, al
                                                                                                                                                                                                        lodsb
                                                                                                                                                                                                        or ecx, eax
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        add cl, ch
                                                                                                                                                                                                        mov ebp, FFFFFD00h
                                                                                                                                                                                                        shl ebp, cl
                                                                                                                                                                                                        pop ecx
                                                                                                                                                                                                        pop eax
                                                                                                                                                                                                        mov ebx, esp
                                                                                                                                                                                                        lea esp, dword ptr [esp+ebp*2-00000E70h]
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        sub ecx, ecx
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        mov ecx, esp
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        mov dx, word ptr [edi]
                                                                                                                                                                                                        shl edx, 0Ch
                                                                                                                                                                                                        push edx
                                                                                                                                                                                                        push edi
                                                                                                                                                                                                        add ecx, 04h
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        add ecx, 04h
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        push ecx
                                                                                                                                                                                                        call 00007FE9307366B3h
                                                                                                                                                                                                        mov esp, ebx
                                                                                                                                                                                                        pop esi
                                                                                                                                                                                                        pop edx
                                                                                                                                                                                                        sub eax, eax
                                                                                                                                                                                                        mov dword ptr [edx+esi], eax
                                                                                                                                                                                                        mov ah, 10h
                                                                                                                                                                                                        sub edx, eax
                                                                                                                                                                                                        sub ecx, ecx
                                                                                                                                                                                                        cmp ecx, edx
                                                                                                                                                                                                        jnc 00007FE930736678h
                                                                                                                                                                                                        mov ebx, ecx
                                                                                                                                                                                                        lodsb
                                                                                                                                                                                                        inc ecx
                                                                                                                                                                                                        and al, FEh
                                                                                                                                                                                                        cmp al, E8h
                                                                                                                                                                                                        jne 00007FE930736644h
                                                                                                                                                                                                        inc ebx
                                                                                                                                                                                                        add ecx, 04h
                                                                                                                                                                                                        lodsd
                                                                                                                                                                                                        or eax, eax
                                                                                                                                                                                                        js 00007FE930736658h
                                                                                                                                                                                                        cmp eax, edx
                                                                                                                                                                                                        jnc 00007FE930736637h
                                                                                                                                                                                                        jmp 00007FE930736658h
                                                                                                                                                                                                        add eax, ebx
                                                                                                                                                                                                        js 00007FE930736631h
                                                                                                                                                                                                        add eax, edx
                                                                                                                                                                                                        sub eax, ebx
                                                                                                                                                                                                        mov dword ptr [esi-04h], eax
                                                                                                                                                                                                        jmp 00007FE930736628h
                                                                                                                                                                                                        call 00007FE930736655h
                                                                                                                                                                                                        pop edi
                                                                                                                                                                                                        add edi, FFFFFF4Dh
                                                                                                                                                                                                        mov al, E9h
                                                                                                                                                                                                        stosb
                                                                                                                                                                                                        mov eax, 00000B56h
                                                                                                                                                                                                        stosd
                                                                                                                                                                                                        call 00007FE930736655h

                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9dd0000x130.MPRESS2
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9de0000x17774.rsrc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x1a64c1600x24a8
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9dd0780x20.MPRESS2
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                        Sections

                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                        .MPRESS10x10000x9dc0000x48f400unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                        .MPRESS20x9dd0000xc970xe00False0.5276227678571429data5.654337414624995IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                        .rsrc0x9de0000x177740x17800False0.39691032247340424data5.472894526519017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                        Resources

                                                                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                        REGISTRY0x9de0ec0x445ASCII text, with CRLF line terminators
                                                                                                                                                                                                        REGISTRY0x9de55c0x30eASCII text, with CRLF line terminators
                                                                                                                                                                                                        REGISTRY0x9de8940xbe4ASCII text, with CRLF line terminators
                                                                                                                                                                                                        REGISTRY0x9df4a00x355ASCII text, with CRLF line terminators
                                                                                                                                                                                                        REGISTRY0x9df8200x348ASCII text, with CRLF line terminators
                                                                                                                                                                                                        REGISTRY0x9dfb900x380ASCII text, with CRLF line terminators
                                                                                                                                                                                                        TYPELIB0x9dff600xb7b4dataEnglishUnited States
                                                                                                                                                                                                        RT_CURSOR0x97a02c0x134empty
                                                                                                                                                                                                        RT_CURSOR0x97a1600x134empty
                                                                                                                                                                                                        RT_CURSOR0x97a2940x134empty
                                                                                                                                                                                                        RT_CURSOR0x97a3c80x134empty
                                                                                                                                                                                                        RT_CURSOR0x97a4fc0x134empty
                                                                                                                                                                                                        RT_CURSOR0x97a6300xcacempty
                                                                                                                                                                                                        RT_CURSOR0x97b2dc0x134empty
                                                                                                                                                                                                        RT_CURSOR0x97b4100xcacempty
                                                                                                                                                                                                        RT_CURSOR0x97c0bc0x10acempty
                                                                                                                                                                                                        RT_CURSOR0x97d1680x10acempty
                                                                                                                                                                                                        RT_CURSOR0x97e2140x10acempty
                                                                                                                                                                                                        RT_CURSOR0x97f2c00x10acempty
                                                                                                                                                                                                        RT_CURSOR0x98036c0x10acempty
                                                                                                                                                                                                        RT_CURSOR0x9814180x10acempty
                                                                                                                                                                                                        RT_CURSOR0x9824c40x10acempty
                                                                                                                                                                                                        RT_CURSOR0x9835700x10acempty
                                                                                                                                                                                                        RT_CURSOR0x98461c0x10acempty
                                                                                                                                                                                                        RT_CURSOR0x9856c80x10acempty
                                                                                                                                                                                                        RT_CURSOR0x9867740x10acempty
                                                                                                                                                                                                        RT_CURSOR0x9878200x134empty
                                                                                                                                                                                                        RT_CURSOR0x9879540x134empty
                                                                                                                                                                                                        RT_CURSOR0x987a880x134empty
                                                                                                                                                                                                        RT_CURSOR0x987bbc0x134empty
                                                                                                                                                                                                        RT_ICON0x9ebbb40x6fb0Device independent bitmap graphic, 83 x 166 x 32, image size 27556
                                                                                                                                                                                                        RT_MENU0x98eca00x2beemptyChineseChina
                                                                                                                                                                                                        RT_MENU0x98ef600x32eemptyChineseChina
                                                                                                                                                                                                        RT_MENU0x98f2900x2e8emptyChineseChina
                                                                                                                                                                                                        RT_STRING0x98f5780x1f8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x98f7700x1f8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x98f9680x224emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x98fb8c0x1c2emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x98fd500x1f8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x98ff480x388emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9902d00x714emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9909e40x74aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9911300x716emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9918480x7ceemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9920180x658emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9926700x660emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x992cd00x660emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9933300x660emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9939900x660emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x993ff00x66cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99465c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x994d1c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9953dc0x6c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x995a9c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99615c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99681c0x640emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x996e5c0x640emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99749c0x640emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x997adc0x640emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99811c0x640emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99875c0x2a4emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x998a000x24cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x998c4c0x234emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x998e800x208emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9990880x204emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99928c0x27cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9995080x2a0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9997a80x2a0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x999a480x2a0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x999ce80x2a0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x999f880x2dcemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99a2640x300emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99a5640x300emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99a8640x300emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99ab640x300emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99ae640x2c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99b1240x280emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99b3a40x280emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99b6240x280emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99b8a40x280emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99bb240x48aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99bfb00x81eemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99c7d00x7ecemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99cfbc0x84cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99d8080x862emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99e06c0x88cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99e8f80xf70emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x99f8680xdfaemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a06640xe38emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a149c0xef4emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a23900xcf8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a30880x1072emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a40fc0x1064emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a51600xfd6emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a61380x1082emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a71bc0xe0eemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a7fcc0xec6emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a8e940x1008emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9a9e9c0xe3eemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9aacdc0xf74emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9abc500xe08emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9aca580x95cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9ad3b40xa1aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9addd00x8feemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9ae6d00xa98emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9af1680x9beemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9afb280x8d8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b04000xb56emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b0f580x98aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b18e40xac8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b23ac0xa96emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b2e440x686emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b34cc0x632emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b3b000x69cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b419c0x704emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b48a00x63aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b4edc0x788emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b56640x8daemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b5f400x84eemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b67900x880emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b70100x852emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b78640x9d2emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b82380x11b8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9b93f00x11e6emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9ba5d80xfb0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9bb5880x120aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9bc7940xc5cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9bd3f00x9e4emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9bddd40xa5aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9be8300x9c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9bf1f00xa2aemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9bfc1c0xab6emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c06d40x1cecemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c23c00x1d70emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c41300x1baaemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c5cdc0x1dc8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c7aa40x19b2emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c94580xc0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c95180xc0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c95d80xc8emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c96a00xc0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c97600xccemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9c982c0xba6emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9ca3d40xdcaemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9cb1a00xc14emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9cbdb40xdf6emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9ccbac0xd0cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9cd8b80x8daemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9ce1940xab4emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9cec480x944emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9cf58c0x9faemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9cff880xa06emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d09900x356emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d0ce80x160emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d0e480x160emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d0fa80x160emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d11080x160emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d12680x150emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d13b80x140emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d14f80x140emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d16380x140emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d17780x140emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d18b80x154emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d1a0c0x18eemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d1b9c0x186emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d1d240x17cemptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d1ea00x178emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d20180x194emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d21ac0x270emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d241c0x248emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d26640x248emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d28ac0x2b2emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d2b600x222emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d2d840x1c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d2f440x1c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d31040x1c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d32c40x1c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d34840x1c0emptyEnglishUnited States
                                                                                                                                                                                                        RT_STRING0x9d36440x84emptyEnglishUnited States
                                                                                                                                                                                                        RT_RCDATA0x9d36c80x54afempty
                                                                                                                                                                                                        RT_RCDATA0x9d8b780x897empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94100x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94240x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94380x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d944c0x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94600x22empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94840x22empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94a80x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94bc0x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94d00x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94e40x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d94f80x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d950c0x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95200x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95340x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95480x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d955c0x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95700x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95840x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95980x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95ac0x14empty
                                                                                                                                                                                                        RT_GROUP_CURSOR0x9d95c00x14empty
                                                                                                                                                                                                        RT_GROUP_ICON0x9f4c200x14data
                                                                                                                                                                                                        RT_VERSION0x9f4c740x358dataEnglishUnited States
                                                                                                                                                                                                        RT_MANIFEST0x9f500c0x425XML 1.0 document, ASCII text, with very long lines (1061), with no line terminatorsEnglishUnited States
                                                                                                                                                                                                        None0x9d9d680x1dcemptyRussianRussia
                                                                                                                                                                                                        None0x9d9f440x724emptyRussianRussia
                                                                                                                                                                                                        None0x9da6680x1f8emptyRussianRussia
                                                                                                                                                                                                        None0x9da8600x204emptyRussianRussia
                                                                                                                                                                                                        None0x9daa640x188emptyRussianRussia
                                                                                                                                                                                                        None0x9dabec0x11cemptyRussianRussia
                                                                                                                                                                                                        None0x9dad080x94emptyRussianRussia
                                                                                                                                                                                                        None0x9dad9c0x7cemptyRussianRussia
                                                                                                                                                                                                        None0x9dae180x180emptyRussianRussia
                                                                                                                                                                                                        None0x9daf980x278emptyRussianRussia
                                                                                                                                                                                                        None0x9db2100x7d8emptyRussianRussia
                                                                                                                                                                                                        None0x9db9e80x124emptyRussianRussia
                                                                                                                                                                                                        None0x9dbb0c0x2e8emptyRussianRussia
                                                                                                                                                                                                        None0x9dbdf40x128emptyRussianRussia
                                                                                                                                                                                                        None0x9dbf1c0x228emptyRussianRussia
                                                                                                                                                                                                        None0x9dc1440x114emptyRussianRussia
                                                                                                                                                                                                        None0x9dc2580x158emptyRussianRussia

                                                                                                                                                                                                        Imports

                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                        KERNEL32.DLLGetModuleHandleA, GetProcAddress
                                                                                                                                                                                                        ole32.dllOleInitialize
                                                                                                                                                                                                        OLEAUT32.dllSafeArrayCreate
                                                                                                                                                                                                        USER32.dllGetProcessWindowStation

                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                        EnglishUnited States
                                                                                                                                                                                                        ChineseChina
                                                                                                                                                                                                        RussianRussia

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        192.168.2.4185.206.213.3249696427942850286 11/24/22-19:43:22.900750TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        192.168.2.4185.206.213.3249696427942850027 11/24/22-19:43:19.130595TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        185.206.213.32192.168.2.442794496962850353 11/24/22-19:43:20.869342TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response4279449696185.206.213.32192.168.2.4

                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Nov 24, 2022 19:43:18.693483114 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:18.722625017 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:18.726129055 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:19.130594969 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:19.161923885 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:19.308361053 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:20.836399078 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:20.869342089 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:21.011712074 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.900749922 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.941775084 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.941839933 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.941886902 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.941932917 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.941987991 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.941994905 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:22.942058086 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:23.011904955 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.912053108 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.939960957 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.940021992 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.940057039 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.940085888 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.940196037 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.940273046 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.967849016 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.967904091 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.967935085 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.967983961 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968269110 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968297958 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968331099 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968363047 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968411922 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968472958 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968477011 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.968564034 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996155977 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996207952 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996241093 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996309996 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996339083 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996391058 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996531963 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996648073 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996655941 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996687889 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996743917 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996815920 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.996905088 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.997243881 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.997409105 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.997534037 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.997565031 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.997592926 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.997670889 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.997924089 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:36.998081923 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024167061 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024219990 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024291992 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024322033 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024352074 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024401903 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024766922 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024796963 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024919033 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.024983883 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025053978 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025084972 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025212049 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025309086 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025352001 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025489092 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025522947 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025625944 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025733948 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025765896 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025794029 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025821924 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025898933 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.025928020 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026026011 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026057005 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026170969 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026201010 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026202917 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026298046 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026329994 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026387930 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026410103 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026635885 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026665926 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026694059 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026724100 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026802063 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026909113 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026943922 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.026973009 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.027055979 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.027137041 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.027165890 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.027194977 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.027405024 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.027432919 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.027601957 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.052233934 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.053858042 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.053917885 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054122925 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054310083 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054621935 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054666996 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054704905 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054752111 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054775000 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054784060 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054951906 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.054984093 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055128098 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055160999 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055243969 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055273056 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055351973 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055525064 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055718899 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055748940 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055778980 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055814981 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.055893898 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.056019068 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.056047916 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.056123972 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.056202888 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.056323051 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.057213068 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.057333946 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.082350969 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.082489014 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.082675934 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.082706928 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083080053 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083236933 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083434105 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083465099 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083606958 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083636999 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083746910 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083777905 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083832979 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.083913088 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084037066 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084065914 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084147930 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084235907 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084266901 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084717989 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084788084 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084907055 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.084938049 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085030079 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085057974 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085150957 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085180044 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085442066 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085472107 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085499048 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085530043 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085571051 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085704088 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085874081 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085903883 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085932016 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085959911 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.085977077 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086023092 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086052895 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086159945 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086179972 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086299896 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086426020 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086455107 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086534023 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086654902 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086731911 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086872101 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.086931944 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.087099075 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.087174892 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.087203026 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.087321043 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.087529898 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.087856054 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.087991953 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.113903999 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.113951921 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.113974094 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114002943 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114125967 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114155054 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114358902 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114531994 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114561081 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114639044 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114787102 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114923000 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114953041 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.114980936 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.115115881 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.115144968 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.115235090 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.115561008 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.115633965 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.115880013 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116027117 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116102934 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116133928 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116264105 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116293907 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116404057 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116573095 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116601944 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116632938 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116719961 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116828918 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116919994 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.116954088 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117083073 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117099047 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117113113 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117252111 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117387056 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117414951 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117538929 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117616892 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117692947 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117721081 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117840052 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117916107 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.117943048 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.118082047 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.118204117 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.119148016 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.119311094 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.144896030 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.144947052 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.144978046 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145083904 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145181894 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145234108 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145374060 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145451069 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145704031 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145733118 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145762920 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145814896 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145843029 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.145935059 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146089077 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146119118 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146250010 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146373987 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146534920 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146565914 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146594048 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146687031 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146856070 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146913052 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.146940947 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147052050 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147125006 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147208929 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147238970 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147268057 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147500992 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147531033 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147558928 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147588015 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147617102 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147644997 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147679090 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147707939 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147736073 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147789001 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147809029 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147924900 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.147953987 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148031950 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148060083 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148087025 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148209095 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148283005 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148358107 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148477077 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148504972 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148581982 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148608923 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148772001 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148801088 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148828983 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148905039 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.148932934 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.149008989 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.149101019 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.149735928 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.149837971 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.175533056 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.175591946 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.175621986 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.175652027 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.175679922 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.175707102 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.175956011 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176104069 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176233053 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176367998 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176513910 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176592112 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176620960 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176649094 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176745892 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.176788092 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177062988 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177093983 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177165985 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177196980 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177297115 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177500963 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177583933 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177615881 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177647114 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177784920 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177843094 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.177932024 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178049088 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178128958 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178179979 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178215027 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178257942 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178467989 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178553104 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178630114 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178750038 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178823948 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178843975 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.178941011 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179063082 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179141045 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179217100 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179377079 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179451942 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179574013 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179694891 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179773092 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.179892063 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.206902027 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.207045078 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.207079887 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.207653999 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.207710028 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.207796097 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.208349943 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.208447933 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.208583117 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.360045910 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                        Nov 24, 2022 19:43:37.450454950 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                        Nov 24, 2022 19:43:39.065957069 CET4969642794192.168.2.4185.206.213.32

                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                        Start time:19:42:59
                                                                                                                                                                                                        Start date:24/11/2022
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\UniverseCity.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\Desktop\UniverseCity.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:4881408 bytes
                                                                                                                                                                                                        MD5 hash:2815815F0488B3D2307C3A914DDC1D7A
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        No disassembly