Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UniverseCity.exe

Overview

General Information

Sample Name:UniverseCity.exe
Analysis ID:753417
MD5:2815815f0488b3d2307c3a914ddc1d7a
SHA1:c5845c0c743106ac27622d32689a24e2f52a9ab7
SHA256:14b87b3a9eb96e080373e2a7203b664b63cec8cc163bbd10b028ecf5441f7f67
Tags:185-206-213-32CosmicWayexeFakeGaliXCityRedLineStealerUniverseCity
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to steal Crypto Currency Wallets
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • UniverseCity.exe (PID: 3836 cmdline: C:\Users\user\Desktop\UniverseCity.exe MD5: 2815815F0488B3D2307C3A914DDC1D7A)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "185.206.213.32:42794", "Bot Id": "110", "Authorization Header": "e47b0f61fb0cc49a8eafd0acb2a1befc"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: UniverseCity.exe PID: 3836JoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: UniverseCity.exe PID: 3836JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.4185.206.213.3249696427942850286 11/24/22-19:43:22.900750
          SID:2850286
          Source Port:49696
          Destination Port:42794
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.4185.206.213.3249696427942850027 11/24/22-19:43:19.130595
          SID:2850027
          Source Port:49696
          Destination Port:42794
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:185.206.213.32192.168.2.442794496962850353 11/24/22-19:43:20.869342
          SID:2850353
          Source Port:42794
          Destination Port:49696
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Machine Learning detection for sample
          Source: UniverseCity.exeJoe Sandbox ML: detected
          Source: 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.206.213.32:42794", "Bot Id": "110", "Authorization Header": "e47b0f61fb0cc49a8eafd0acb2a1befc"}
          Source: UniverseCity.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
          Source: Binary string: _.pdb source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.390918451.0000000003200000.00000004.08000000.00040000.00000000.sdmp

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 185.206.213.32:42794 -> 192.168.2.4:49696
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 185.206.213.32:42794
          Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
          Source: global trafficTCP traffic: 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
          Source: UniverseCity.exe, 00000000.00000003.378699909.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.389446590.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000003.378769956.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultx
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyl
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response/E
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
          Source: UniverseCity.exe, 00000000.00000002.393376642.00000000035DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: UniverseCity.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ll,\\StringFileInfo\\040904B0\\OriginalFilename vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.395294924.00000000037D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000000.296301490.0000000000DDE000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePanApi.dllR vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000003.299643414.0000000002B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.390918451.0000000003200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.401001416.0000000005A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.379182526.0000000000460000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exe, 00000000.00000002.397483671.0000000004415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMentioned.exeH vs UniverseCity.exe
          Source: UniverseCity.exeBinary or memory string: OriginalFilenamePanApi.dllR vs UniverseCity.exe
          Source: C:\Users\user\Desktop\UniverseCity.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\UniverseCity.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
          Source: C:\Users\user\Desktop\UniverseCity.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
          Source: C:\Users\user\Desktop\UniverseCity.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: UniverseCity.exeStatic file information: File size 4881408 > 1048576
          Source: UniverseCity.exeStatic PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x48f400
          Source: Binary string: _.pdb source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.390918451.0000000003200000.00000004.08000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\UniverseCity.exeUnpacked PE file: 0.2.UniverseCity.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: UniverseCity.exeStatic PE information: section name: .MPRESS1
          Source: UniverseCity.exeStatic PE information: section name: .MPRESS2
          Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
          Source: UniverseCity.exeStatic PE information: real checksum: 0x4aec6e should be: 0x4b7344
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\UniverseCity.exeSystem information queried: FirmwareTableInformation
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
          Source: C:\Users\user\Desktop\UniverseCity.exe TID: 5976Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Users\user\Desktop\UniverseCity.exe TID: 6044Thread sleep count: 9623 > 30
          Source: C:\Users\user\Desktop\UniverseCity.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
          Source: C:\Users\user\Desktop\UniverseCity.exeWindow / User API: threadDelayed 9623
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
          Source: C:\Users\user\Desktop\UniverseCity.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\UniverseCity.exeSystem information queried: ModuleInformation

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\UniverseCity.exeThread information set: HideFromDebugger
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: gbdyllo
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: ollydbg
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\UniverseCity.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess queried: DebugObjectHandle
          Source: C:\Users\user\Desktop\UniverseCity.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\UniverseCity.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
          Source: C:\Users\user\Desktop\UniverseCity.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
          Source: C:\Users\user\Desktop\UniverseCity.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
          Source: UniverseCity.exe, 00000000.00000003.372338284.0000000006E62000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: Process Memory Space: UniverseCity.exe PID: 3836, type: MEMORYSTR
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
          Source: UniverseCity.exe, 00000000.00000002.392906296.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ll1C:\Users\user\AppData\Roaming\Electrum\wallets\*
          Source: UniverseCity.exe, 00000000.00000002.396262228.000000000389C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ll-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
          Source: UniverseCity.exe, 00000000.00000003.372317962.0000000006EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.jsont
          Source: UniverseCity.exe, 00000000.00000002.392906296.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
          Source: UniverseCity.exe, 00000000.00000002.392906296.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ll5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
          Source: UniverseCity.exe, 00000000.00000002.389953191.0000000002F9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
          Source: C:\Users\user\Desktop\UniverseCity.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: Yara matchFile source: 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: UniverseCity.exe PID: 3836, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: Process Memory Space: UniverseCity.exe PID: 3836, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts221
          Windows Management Instrumentation          		Path InterceptionPath Interception1
          Masquerading          		1
          OS Credential Dumping          		65
          Security Software Discovery          		Remote Services3
          Data from Local System          		Exfiltration Over Other Network Medium1
          Non-Standard Port          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory11
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)551
          Virtualization/Sandbox Evasion          		Security Account Manager551
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Software Packing          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets124
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          UniverseCity.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://tempuri.org/0%URL Reputationsafe
          http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          https://api.ip.sb/ip0%URL Reputationsafe
          https://api.ip.sb/ip0%URL Reputationsafe
          http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
          http://www.w3.o0%URL Reputationsafe
          http://tempuri.org/Entity/Id10%URL Reputationsafe
          185.206.213.32:427940%VirustotalBrowse
          185.206.213.32:427940%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          185.206.213.32:42794true
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/02/sc/sctUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://duckduckgo.com/chrome_newtabUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id2ResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ns.adobe.c/gUniverseCity.exe, 00000000.00000003.378699909.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.389446590.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000003.378769956.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultxUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsatUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.ip.sb/ipUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/04/scUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id1ResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=UniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressingUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trustUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/NonceUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2006/02/addressingidentityUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/soap/envelope/UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://search.yahoo.com?fr=crmas_sfpfUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertylUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/06/addressingexUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoorUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.w3.oUniverseCity.exe, 00000000.00000002.393376642.00000000035DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/CancelUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousUniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2002/12/policyUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dkUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchUniverseCity.exe, 00000000.00000002.395242356.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.394744089.000000000373C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CommitUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/IssueUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCTUniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://tempuri.org/Entity/Id1UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                  		unknown

                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                  185.206.213.32
                                                                                                                                                                                                  		unknownUkraine
                                                                                                                                                                                                  		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                                                                                                                                                                                                  General Information

                                                                                                                                                                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                                                                  Analysis ID:753417
                                                                                                                                                                                                  Start date and time:2022-11-24 19:42:09 +01:00
                                                                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                  Overall analysis duration:0h 4m 39s
                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                  Report type:light
                                                                                                                                                                                                  Sample file name:UniverseCity.exe
                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                  Number of analysed new started processes analysed:3
                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                  • HDC enabled
                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                                                  HDC Information:Failed
                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                                                                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                  19:43:25API Interceptor64x Sleep call for process: UniverseCity.exe modified

                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                  IPs

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Domains

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UniverseCity.exe.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\UniverseCity.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2201
                                                                                                                                                                                                  Entropy (8bit):5.326033842196865
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:MIHK5HKXEAHKzvQfHK7HKhBHKdHKBSTHtHmYHKhQnoPtHoxHImHKx1qHAHVHxLH0:Pq5qXLqzAq7qLqdqsNGYqhQnoPtIxHbt
                                                                                                                                                                                                  MD5:9D13095367E03502A903DEBCA7487DF4
                                                                                                                                                                                                  SHA1:75CAC4CD0867B1EF8422118EA22520E546F1C893
                                                                                                                                                                                                  SHA-256:D6C7B642CBA4757549117405242B88C6383A2F555ACD121CC70D6BF604698469
                                                                                                                                                                                                  SHA-512:F61C92128B02D520071F3A271FEF5B847AB58C0F7D53D188EE18504CECD67FCB3F03005130C8240FE7946CAA5F611A443789921DE2E86C70D7A656695B226219
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\Syst

                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  File type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                  Entropy (8bit):7.993226453571658
                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                  File name:UniverseCity.exe
                                                                                                                                                                                                  File size:4881408
                                                                                                                                                                                                  MD5:2815815f0488b3d2307c3a914ddc1d7a
                                                                                                                                                                                                  SHA1:c5845c0c743106ac27622d32689a24e2f52a9ab7
                                                                                                                                                                                                  SHA256:14b87b3a9eb96e080373e2a7203b664b63cec8cc163bbd10b028ecf5441f7f67
                                                                                                                                                                                                  SHA512:bc4e8c73de9a1a6db1984397a3339c62fb03e3bf145e0b2bb66596afa74b5944a73445ec04d5b5613b177e7aed9950408d96cf7481b3f856d76abf338ec1ff49
                                                                                                                                                                                                  SSDEEP:98304:sbtWGDueBJmf8eGjoA120pwKD6rjOXRe3qTZZQlYRpFvGHtGqKpIZ8:nGNO86AEawwNhZzpc8qiA
                                                                                                                                                                                                  TLSH:0D36336EF3D60AB1E45C01B1002E9BCF4B7675071D25DA2ABB4C738D9F72342BE69291
                                                                                                                                                                                                  File Content Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L...t..P..........#.................-.............@..........................`......n.J.........................................0.......tw..........`.d..$.................................

                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                  Icon Hash:c48e0f4f27a6f8f0

                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Entrypoint:0xddd12d
                                                                                                                                                                                                  Entrypoint Section:.MPRESS2
                                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                  Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                  OS Version Major:5
                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                  File Version Major:5
                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                  Import Hash:e045c920c82e7a05da4487cce2e427b2

                                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                                  Signature Valid:
                                                                                                                                                                                                  Signature Issuer:
                                                                                                                                                                                                  Signature Validation Error:
                                                                                                                                                                                                  Error Number:
                                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                                    Subject Chain
                                                                                                                                                                                                      Version:
                                                                                                                                                                                                      Thumbprint MD5:
                                                                                                                                                                                                      Thumbprint SHA-1:
                                                                                                                                                                                                      Thumbprint SHA-256:
                                                                                                                                                                                                      Serial:

                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                      pushad
                                                                                                                                                                                                      call 00007FE930736655h
                                                                                                                                                                                                      pop eax
                                                                                                                                                                                                      add eax, 00000B5Ah
                                                                                                                                                                                                      mov esi, dword ptr [eax]
                                                                                                                                                                                                      add esi, eax
                                                                                                                                                                                                      sub eax, eax
                                                                                                                                                                                                      mov edi, esi
                                                                                                                                                                                                      lodsw
                                                                                                                                                                                                      shl eax, 0Ch
                                                                                                                                                                                                      mov ecx, eax
                                                                                                                                                                                                      push eax
                                                                                                                                                                                                      lodsd
                                                                                                                                                                                                      sub ecx, eax
                                                                                                                                                                                                      add esi, ecx
                                                                                                                                                                                                      mov ecx, eax
                                                                                                                                                                                                      push edi
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      dec ecx
                                                                                                                                                                                                      mov al, byte ptr [ecx+edi+06h]
                                                                                                                                                                                                      mov byte ptr [ecx+esi], al
                                                                                                                                                                                                      jne 00007FE930736648h
                                                                                                                                                                                                      sub eax, eax
                                                                                                                                                                                                      lodsb
                                                                                                                                                                                                      mov ecx, eax
                                                                                                                                                                                                      and cl, FFFFFFF0h
                                                                                                                                                                                                      and al, 0Fh
                                                                                                                                                                                                      shl ecx, 0Ch
                                                                                                                                                                                                      mov ch, al
                                                                                                                                                                                                      lodsb
                                                                                                                                                                                                      or ecx, eax
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      add cl, ch
                                                                                                                                                                                                      mov ebp, FFFFFD00h
                                                                                                                                                                                                      shl ebp, cl
                                                                                                                                                                                                      pop ecx
                                                                                                                                                                                                      pop eax
                                                                                                                                                                                                      mov ebx, esp
                                                                                                                                                                                                      lea esp, dword ptr [esp+ebp*2-00000E70h]
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      sub ecx, ecx
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      mov ecx, esp
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      mov dx, word ptr [edi]
                                                                                                                                                                                                      shl edx, 0Ch
                                                                                                                                                                                                      push edx
                                                                                                                                                                                                      push edi
                                                                                                                                                                                                      add ecx, 04h
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      push eax
                                                                                                                                                                                                      add ecx, 04h
                                                                                                                                                                                                      push esi
                                                                                                                                                                                                      push ecx
                                                                                                                                                                                                      call 00007FE9307366B3h
                                                                                                                                                                                                      mov esp, ebx
                                                                                                                                                                                                      pop esi
                                                                                                                                                                                                      pop edx
                                                                                                                                                                                                      sub eax, eax
                                                                                                                                                                                                      mov dword ptr [edx+esi], eax
                                                                                                                                                                                                      mov ah, 10h
                                                                                                                                                                                                      sub edx, eax
                                                                                                                                                                                                      sub ecx, ecx
                                                                                                                                                                                                      cmp ecx, edx
                                                                                                                                                                                                      jnc 00007FE930736678h
                                                                                                                                                                                                      mov ebx, ecx
                                                                                                                                                                                                      lodsb
                                                                                                                                                                                                      inc ecx
                                                                                                                                                                                                      and al, FEh
                                                                                                                                                                                                      cmp al, E8h
                                                                                                                                                                                                      jne 00007FE930736644h
                                                                                                                                                                                                      inc ebx
                                                                                                                                                                                                      add ecx, 04h
                                                                                                                                                                                                      lodsd
                                                                                                                                                                                                      or eax, eax
                                                                                                                                                                                                      js 00007FE930736658h
                                                                                                                                                                                                      cmp eax, edx
                                                                                                                                                                                                      jnc 00007FE930736637h
                                                                                                                                                                                                      jmp 00007FE930736658h
                                                                                                                                                                                                      add eax, ebx
                                                                                                                                                                                                      js 00007FE930736631h
                                                                                                                                                                                                      add eax, edx
                                                                                                                                                                                                      sub eax, ebx
                                                                                                                                                                                                      mov dword ptr [esi-04h], eax
                                                                                                                                                                                                      jmp 00007FE930736628h
                                                                                                                                                                                                      call 00007FE930736655h
                                                                                                                                                                                                      pop edi
                                                                                                                                                                                                      add edi, FFFFFF4Dh
                                                                                                                                                                                                      mov al, E9h
                                                                                                                                                                                                      stosb
                                                                                                                                                                                                      mov eax, 00000B56h
                                                                                                                                                                                                      stosd
                                                                                                                                                                                                      call 00007FE930736655h

                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x9dd0000x130.MPRESS2
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x9de0000x17774.rsrc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1a64c1600x24a8
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x9dd0780x20.MPRESS2
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                      Sections

                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                      .MPRESS10x10000x9dc0000x48f400unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .MPRESS20x9dd0000xc970xe00False0.5276227678571429data5.654337414624995IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .rsrc0x9de0000x177740x17800False0.39691032247340424data5.472894526519017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                      Resources

                                                                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                      REGISTRY0x9de0ec0x445ASCII text, with CRLF line terminators
                                                                                                                                                                                                      REGISTRY0x9de55c0x30eASCII text, with CRLF line terminators
                                                                                                                                                                                                      REGISTRY0x9de8940xbe4ASCII text, with CRLF line terminators
                                                                                                                                                                                                      REGISTRY0x9df4a00x355ASCII text, with CRLF line terminators
                                                                                                                                                                                                      REGISTRY0x9df8200x348ASCII text, with CRLF line terminators
                                                                                                                                                                                                      REGISTRY0x9dfb900x380ASCII text, with CRLF line terminators
                                                                                                                                                                                                      TYPELIB0x9dff600xb7b4dataEnglishUnited States
                                                                                                                                                                                                      RT_CURSOR0x97a02c0x134empty
                                                                                                                                                                                                      RT_CURSOR0x97a1600x134empty
                                                                                                                                                                                                      RT_CURSOR0x97a2940x134empty
                                                                                                                                                                                                      RT_CURSOR0x97a3c80x134empty
                                                                                                                                                                                                      RT_CURSOR0x97a4fc0x134empty
                                                                                                                                                                                                      RT_CURSOR0x97a6300xcacempty
                                                                                                                                                                                                      RT_CURSOR0x97b2dc0x134empty
                                                                                                                                                                                                      RT_CURSOR0x97b4100xcacempty
                                                                                                                                                                                                      RT_CURSOR0x97c0bc0x10acempty
                                                                                                                                                                                                      RT_CURSOR0x97d1680x10acempty
                                                                                                                                                                                                      RT_CURSOR0x97e2140x10acempty
                                                                                                                                                                                                      RT_CURSOR0x97f2c00x10acempty
                                                                                                                                                                                                      RT_CURSOR0x98036c0x10acempty
                                                                                                                                                                                                      RT_CURSOR0x9814180x10acempty
                                                                                                                                                                                                      RT_CURSOR0x9824c40x10acempty
                                                                                                                                                                                                      RT_CURSOR0x9835700x10acempty
                                                                                                                                                                                                      RT_CURSOR0x98461c0x10acempty
                                                                                                                                                                                                      RT_CURSOR0x9856c80x10acempty
                                                                                                                                                                                                      RT_CURSOR0x9867740x10acempty
                                                                                                                                                                                                      RT_CURSOR0x9878200x134empty
                                                                                                                                                                                                      RT_CURSOR0x9879540x134empty
                                                                                                                                                                                                      RT_CURSOR0x987a880x134empty
                                                                                                                                                                                                      RT_CURSOR0x987bbc0x134empty
                                                                                                                                                                                                      RT_ICON0x9ebbb40x6fb0Device independent bitmap graphic, 83 x 166 x 32, image size 27556
                                                                                                                                                                                                      RT_MENU0x98eca00x2beemptyChineseChina
                                                                                                                                                                                                      RT_MENU0x98ef600x32eemptyChineseChina
                                                                                                                                                                                                      RT_MENU0x98f2900x2e8emptyChineseChina
                                                                                                                                                                                                      RT_STRING0x98f5780x1f8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x98f7700x1f8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x98f9680x224emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x98fb8c0x1c2emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x98fd500x1f8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x98ff480x388emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9902d00x714emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9909e40x74aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9911300x716emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9918480x7ceemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9920180x658emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9926700x660emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x992cd00x660emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9933300x660emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9939900x660emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x993ff00x66cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99465c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x994d1c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9953dc0x6c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x995a9c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99615c0x6c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99681c0x640emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x996e5c0x640emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99749c0x640emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x997adc0x640emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99811c0x640emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99875c0x2a4emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x998a000x24cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x998c4c0x234emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x998e800x208emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9990880x204emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99928c0x27cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9995080x2a0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9997a80x2a0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x999a480x2a0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x999ce80x2a0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x999f880x2dcemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99a2640x300emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99a5640x300emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99a8640x300emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99ab640x300emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99ae640x2c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99b1240x280emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99b3a40x280emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99b6240x280emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99b8a40x280emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99bb240x48aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99bfb00x81eemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99c7d00x7ecemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99cfbc0x84cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99d8080x862emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99e06c0x88cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99e8f80xf70emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x99f8680xdfaemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a06640xe38emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a149c0xef4emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a23900xcf8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a30880x1072emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a40fc0x1064emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a51600xfd6emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a61380x1082emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a71bc0xe0eemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a7fcc0xec6emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a8e940x1008emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9a9e9c0xe3eemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9aacdc0xf74emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9abc500xe08emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9aca580x95cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9ad3b40xa1aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9addd00x8feemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9ae6d00xa98emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9af1680x9beemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9afb280x8d8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b04000xb56emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b0f580x98aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b18e40xac8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b23ac0xa96emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b2e440x686emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b34cc0x632emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b3b000x69cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b419c0x704emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b48a00x63aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b4edc0x788emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b56640x8daemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b5f400x84eemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b67900x880emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b70100x852emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b78640x9d2emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b82380x11b8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9b93f00x11e6emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9ba5d80xfb0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9bb5880x120aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9bc7940xc5cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9bd3f00x9e4emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9bddd40xa5aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9be8300x9c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9bf1f00xa2aemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9bfc1c0xab6emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c06d40x1cecemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c23c00x1d70emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c41300x1baaemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c5cdc0x1dc8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c7aa40x19b2emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c94580xc0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c95180xc0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c95d80xc8emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c96a00xc0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c97600xccemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9c982c0xba6emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9ca3d40xdcaemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9cb1a00xc14emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9cbdb40xdf6emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9ccbac0xd0cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9cd8b80x8daemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9ce1940xab4emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9cec480x944emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9cf58c0x9faemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9cff880xa06emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d09900x356emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d0ce80x160emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d0e480x160emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d0fa80x160emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d11080x160emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d12680x150emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d13b80x140emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d14f80x140emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d16380x140emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d17780x140emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d18b80x154emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d1a0c0x18eemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d1b9c0x186emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d1d240x17cemptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d1ea00x178emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d20180x194emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d21ac0x270emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d241c0x248emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d26640x248emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d28ac0x2b2emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d2b600x222emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d2d840x1c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d2f440x1c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d31040x1c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d32c40x1c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d34840x1c0emptyEnglishUnited States
                                                                                                                                                                                                      RT_STRING0x9d36440x84emptyEnglishUnited States
                                                                                                                                                                                                      RT_RCDATA0x9d36c80x54afempty
                                                                                                                                                                                                      RT_RCDATA0x9d8b780x897empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94100x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94240x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94380x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d944c0x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94600x22empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94840x22empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94a80x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94bc0x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94d00x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94e40x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d94f80x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d950c0x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95200x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95340x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95480x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d955c0x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95700x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95840x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95980x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95ac0x14empty
                                                                                                                                                                                                      RT_GROUP_CURSOR0x9d95c00x14empty
                                                                                                                                                                                                      RT_GROUP_ICON0x9f4c200x14data
                                                                                                                                                                                                      RT_VERSION0x9f4c740x358dataEnglishUnited States
                                                                                                                                                                                                      RT_MANIFEST0x9f500c0x425XML 1.0 document, ASCII text, with very long lines (1061), with no line terminatorsEnglishUnited States
                                                                                                                                                                                                      None0x9d9d680x1dcemptyRussianRussia
                                                                                                                                                                                                      None0x9d9f440x724emptyRussianRussia
                                                                                                                                                                                                      None0x9da6680x1f8emptyRussianRussia
                                                                                                                                                                                                      None0x9da8600x204emptyRussianRussia
                                                                                                                                                                                                      None0x9daa640x188emptyRussianRussia
                                                                                                                                                                                                      None0x9dabec0x11cemptyRussianRussia
                                                                                                                                                                                                      None0x9dad080x94emptyRussianRussia
                                                                                                                                                                                                      None0x9dad9c0x7cemptyRussianRussia
                                                                                                                                                                                                      None0x9dae180x180emptyRussianRussia
                                                                                                                                                                                                      None0x9daf980x278emptyRussianRussia
                                                                                                                                                                                                      None0x9db2100x7d8emptyRussianRussia
                                                                                                                                                                                                      None0x9db9e80x124emptyRussianRussia
                                                                                                                                                                                                      None0x9dbb0c0x2e8emptyRussianRussia
                                                                                                                                                                                                      None0x9dbdf40x128emptyRussianRussia
                                                                                                                                                                                                      None0x9dbf1c0x228emptyRussianRussia
                                                                                                                                                                                                      None0x9dc1440x114emptyRussianRussia
                                                                                                                                                                                                      None0x9dc2580x158emptyRussianRussia

                                                                                                                                                                                                      Imports

                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                      KERNEL32.DLLGetModuleHandleA, GetProcAddress
                                                                                                                                                                                                      ole32.dllOleInitialize
                                                                                                                                                                                                      OLEAUT32.dllSafeArrayCreate
                                                                                                                                                                                                      USER32.dllGetProcessWindowStation

                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                      EnglishUnited States
                                                                                                                                                                                                      ChineseChina
                                                                                                                                                                                                      RussianRussia

                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      192.168.2.4185.206.213.3249696427942850286 11/24/22-19:43:22.900750TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      192.168.2.4185.206.213.3249696427942850027 11/24/22-19:43:19.130595TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      185.206.213.32192.168.2.442794496962850353 11/24/22-19:43:20.869342TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response4279449696185.206.213.32192.168.2.4

                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      Nov 24, 2022 19:43:18.693483114 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:18.722625017 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:18.726129055 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:19.130594969 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:19.161923885 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:19.308361053 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:20.836399078 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:20.869342089 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:21.011712074 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.900749922 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.941775084 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.941839933 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.941886902 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.941932917 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.941987991 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.941994905 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:22.942058086 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:23.011904955 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.912053108 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.939960957 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.940021992 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.940057039 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.940085888 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.940196037 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.940273046 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.967849016 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.967904091 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.967935085 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.967983961 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968269110 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968297958 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968331099 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968363047 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968411922 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968472958 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968477011 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.968564034 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996155977 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996207952 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996241093 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996309996 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996339083 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996391058 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996531963 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996648073 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996655941 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996687889 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996743917 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996815920 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.996905088 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.997243881 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.997409105 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.997534037 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.997565031 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.997592926 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.997670889 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.997924089 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:36.998081923 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024167061 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024219990 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024291992 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024322033 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024352074 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024401903 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024766922 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024796963 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024919033 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.024983883 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025053978 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025084972 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025212049 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025309086 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025352001 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025489092 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025522947 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025625944 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025733948 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025765896 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025794029 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025821924 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025898933 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.025928020 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026026011 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026057005 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026170969 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026201010 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026202917 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026298046 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026329994 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026387930 CET4969642794192.168.2.4185.206.213.32
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026410103 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026635885 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026665926 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026694059 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026724100 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026802063 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026909113 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026943922 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.026973009 CET4279449696185.206.213.32192.168.2.4
                                                                                                                                                                                                      Nov 24, 2022 19:43:37.027055979 CET4279449696185.206.213.32192.168.2.4

                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                      No statistics

                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                      Start time:19:42:59
                                                                                                                                                                                                      Start date:24/11/2022
                                                                                                                                                                                                      Path:C:\Users\user\Desktop\UniverseCity.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:C:\Users\user\Desktop\UniverseCity.exe
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      File size:4881408 bytes
                                                                                                                                                                                                      MD5 hash:2815815F0488B3D2307C3A914DDC1D7A
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      Reputation:low

                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                      No disassembly