Edit tour

Windows Analysis Report
IxE6TjWjRM.exe

Overview

General Information

Sample name:	IxE6TjWjRM.exe renamed because original name is a hash value
Original sample name:	51a74c9b3c860a932aea37b77d55c3dc.exe
Analysis ID:	1477129
MD5:	51a74c9b3c860a932aea37b77d55c3dc
SHA1:	e3cd015f08557d51eea53e4a38a97f647ae4778e
SHA256:	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83
Tags:	exePovertyStealer
Infos:

Detection

Poverty Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Poverty Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Injects a PE file into a foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Installs a raw input device (often for capturing keystrokes)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Yara signature match

Classification

Process Tree

System is w10x64

IxE6TjWjRM.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\IxE6TjWjRM.exe" MD5: 51A74C9B3C860A932AEA37B77D55C3DC)

BitLockerToGo.exe (PID: 6740 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Configuration

Threatname: Poverty Stealer

{"C2 url": "85.244.212.106:2227"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1786546407.00000180F1500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000002.1791970814.000000C001198000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000003.1774754791.00000180F1720000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000002.1791486951.000000C000C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000002.1790728531.000000C000800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: IxE6TjWjRM.exe PID: 6456	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 6740	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.IxE6TjWjRM.exe.c000e80000.6.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.IxE6TjWjRM.exe.c000d78000.5.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.3.IxE6TjWjRM.exe.180f1720000.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.IxE6TjWjRM.exe.c000b70000.4.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.IxE6TjWjRM.exe.c001198000.7.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.3.IxE6TjWjRM.exe.180f1500000.3.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
1.2.BitLockerToGo.exe.580000.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.3.IxE6TjWjRM.exe.180f1500000.3.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
1.2.BitLockerToGo.exe.580000.0.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.IxE6TjWjRM.exe.c000b70000.4.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.3.IxE6TjWjRM.exe.180f1720000.0.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.IxE6TjWjRM.exe.c001198000.7.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.IxE6TjWjRM.exe.c000e80000.6.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.IxE6TjWjRM.exe.c000d78000.5.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Click to see the 9 entries

Suricata Signatures

ET MALWARE PovertyStealer Exfiltration M3 - Source IP: 192.168.2.4 - Destination IP: 185.244.212.106

Timestamp:	2024-07-20T05:07:24.579180+0200
SID:	2048736
Source Port:	49736
Destination Port:	2227
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.IxE6TjWjRM.exe.c000b70000.4.unpack

Malware Configuration Extractor: Poverty Stealer {"C2 url": "85.244.212.106:2227"}

Multi AV Scanner detection for submitted file

Source: IxE6TjWjRM.exe	ReversingLabs: Detection: 50%
Source: IxE6TjWjRM.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_00581D21 CryptProtectData,

1_2_00581D21

Source: IxE6TjWjRM.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntkrnlmp.pdbx, source: BitLockerToGo.exe, 00000001.00000002.1965117082.000000000DC14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1898911144.000000000B7E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F367000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1911142447.000000000BDCB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB94000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2038067480.000000000FAFC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1922706182.000000000C4F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.0000000010309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1934652431.000000000CC6E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1892965940.000000000B3C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D457000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1890705697.000000000B248000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E401000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: BitLockerToGo.exe, 00000001.00000002.1965117082.000000000DC14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1898911144.000000000B7E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E3F8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F367000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.000000001030C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1911142447.000000000BDCB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB94000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F369000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2038067480.000000000FAFC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1922706182.000000000C4F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB9C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.0000000010309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1934652431.000000000CC6E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1892965940.000000000B3C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D457000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1890705697.000000000B248000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E401000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D45E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C000708000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785889347.00000180F1610000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785853339.00000180F1650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: BitLockerToGo.exe, 00000001.00000002.1965117082.000000000DC14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E3F8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.000000001030C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1911142447.000000000BDD5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F369000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2038067480.000000000FAFC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB99000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1934652431.000000000CC6E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1922706182.000000000C4F0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D457000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: BitLockerToGo.exe, 00000001.00000002.1888258746.0000000000B91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C000708000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785889347.00000180F1610000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785853339.00000180F1650000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 85.244.212.106:2227

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 185.244.212.106:2227

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106

Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IxE6TjWjRM.exe	String found in binary or memory: https://github.com/gabomdq/SDL_GameControllerDB
Source: IxE6TjWjRM.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: IxE6TjWjRM.exe	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: IxE6TjWjRM.exe, 00000000.00000000.1700673524.00007FF694BFE000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: directInput8Create

memstr_f81e8bec-a

Source: IxE6TjWjRM.exe

Binary or memory string: github.com/hajimehoshi/ebiten/v2/internal/glfwwin._GetRawInputData

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: IxE6TjWjRM.exe

Static PE information: Number of sections : 12 > 10

Source: IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C000708000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IxE6TjWjRM.exe
Source: IxE6TjWjRM.exe, 00000000.00000002.1796358794.00007FF695611000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameCorporate Confidential.exe vs IxE6TjWjRM.exe
Source: IxE6TjWjRM.exe, 00000000.00000003.1785889347.00000180F1610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IxE6TjWjRM.exe
Source: IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IxE6TjWjRM.exe
Source: IxE6TjWjRM.exe, 00000000.00000003.1785853339.00000180F1650000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IxE6TjWjRM.exe
Source: IxE6TjWjRM.exe	Binary or memory string: OriginalFileNameCorporate Confidential.exe vs IxE6TjWjRM.exe

Source: 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@0/1

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

File created: C:\Users\Public\Libraries\golgi.scif

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Mutant created: \Sessions\1\BaseNamedObjects\2eb14e5a-24b6-440f-9960-853ad1ecab73

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

File opened: C:\Windows\system32\f4f802c0ad9fd637e22dd70be5e4c19df66da295ce520feee92e831f9aed5bd4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: IxE6TjWjRM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IxE6TjWjRM.exe	ReversingLabs: Detection: 50%
Source: IxE6TjWjRM.exe	Virustotal: Detection: 58%

Source: IxE6TjWjRM.exe	String found in binary or memory: net/addrselect.go
Source: IxE6TjWjRM.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: IxE6TjWjRM.exe	String found in binary or memory: net/addrselect.go
Source: IxE6TjWjRM.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

File read: C:\Users\user\Desktop\IxE6TjWjRM.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IxE6TjWjRM.exe "C:\Users\user\Desktop\IxE6TjWjRM.exe"
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior

Source: IxE6TjWjRM.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: IxE6TjWjRM.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: IxE6TjWjRM.exe

Static file information: File size 15064064 > 1048576

Source: IxE6TjWjRM.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3f6800
Source: IxE6TjWjRM.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x966200

Source: IxE6TjWjRM.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntkrnlmp.pdbx, source: BitLockerToGo.exe, 00000001.00000002.1965117082.000000000DC14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1898911144.000000000B7E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F367000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1911142447.000000000BDCB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB94000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2038067480.000000000FAFC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1922706182.000000000C4F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.0000000010309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1934652431.000000000CC6E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1892965940.000000000B3C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D457000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1890705697.000000000B248000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E401000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: BitLockerToGo.exe, 00000001.00000002.1965117082.000000000DC14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1898911144.000000000B7E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E3F8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F367000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.000000001030C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1911142447.000000000BDCB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB94000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F369000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2038067480.000000000FAFC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1922706182.000000000C4F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB9C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.0000000010309000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1934652431.000000000CC6E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1892965940.000000000B3C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D457000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1890705697.000000000B248000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E401000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D45E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C000708000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785889347.00000180F1610000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785853339.00000180F1650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: BitLockerToGo.exe, 00000001.00000002.1965117082.000000000DC14000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1982487820.000000000E3F8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2058005086.000000001030C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1911142447.000000000BDD5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2018695992.000000000F369000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2038067480.000000000FAFC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.2000142112.000000000EB99000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1934652431.000000000CC6E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1922706182.000000000C4F0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1949754162.000000000D457000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: BitLockerToGo.exe, 00000001.00000002.1888258746.0000000000B91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C000708000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785889347.00000180F1610000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp, IxE6TjWjRM.exe, 00000000.00000003.1785853339.00000180F1650000.00000004.00001000.00020000.00000000.sdmp

Source: IxE6TjWjRM.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_1-2336

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_005820E1 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

1_2_005820E1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior

Source: IxE6TjWjRM.exe	Binary or memory string: IP8DklSQddTu2vgFwc5/X/nREmCJE0yvY0Fwwom7C7JcV2+9Q5UgC4uU6HTYGMER3qmqBCknnDJXNlLU5xK4SCdSsfnOejM2Kl1aZ4fL/9A8mS8UizmWOlsQVTx2JTHBy9IUGgGrGxrbxWXiozSbpSr0Cwhn5nZmvZpcch6lHgfsJQi0pkg+y42esnVgQXATSJ/aV7dC6KVMPbalpvSn6WjZofVvNGVuGg6TRkdDuoI4RnTZxAV9TtFkPkZAMAr2z/h9
Source: IxE6TjWjRM.exe	Binary or memory string: L5d8ER8q0TbpjlWIOzH9ZnBNo1FpUxNz+YLOz8WsxIPbUlAyqWhEu3BQsZ6h+p8RtimxwboLxgaIEjBn7FFr7MnDH1tc3y9stIj6f+RQ4jPHGa1FeFSwCN1QQ7IGr45DFR9isASwZiJbrjjvUeSeEzIDFXqyrYWZf55BNUYpFdJyPctvMciDYlNRpxePomiCOycQacTjFeg49MAbE2oJzxv52l14iDDcLFacU87Mw8Wed/usyyb02vz+n7lgKP4cgmuq
Source: IxE6TjWjRM.exe	Binary or memory string: 6Nqyb+rvVlDpdA/Q9XznulPJhUb4HYKdMmp8jtZXvlxIdc16JI023VXcPfNLctIsq9kS0hOCzWXUa44rMuISYvWcPrSwS34sQR6So3+G/cvYeZAMvMsvzvJBsFtgjAV09odFcMJMkPnVrJ5ydvmciH5OMeB7zb0bmR/n1fovS1oZVSRIJ10BmMpHtpU9sUHLDgTlsXEmS+NdFS+VH3Wz2itVcheo3O257LPazSWSuiu7jr+sp+HzvNV11PDeWH8RU60d
Source: BitLockerToGo.exe, 00000001.00000002.1897112358.000000000B69E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: IxE6TjWjRM.exe, 00000000.00000002.1792165873.00000180EA4C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_005835C3 GetProcessHeap,HeapFree,

1_2_005835C3

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 580000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 580000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 580000			Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 68F008			Jump to behavior

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe

Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 1_2_005820E1 cpuid

1_2_005820E1

Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Queries volume information: C:\Users\user\Desktop\IxE6TjWjRM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IxE6TjWjRM.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Poverty Stealer

Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000e80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000d78000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000b70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c001198000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1500000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1500000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000b70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c001198000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000e80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000d78000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1786546407.00000180F1500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791970814.000000C001198000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1774754791.00000180F1720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791486951.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1790728531.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IxE6TjWjRM.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6740, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected Poverty Stealer

Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000e80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000d78000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000b70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c001198000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1500000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1500000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BitLockerToGo.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000b70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IxE6TjWjRM.exe.180f1720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c001198000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000e80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IxE6TjWjRM.exe.c000d78000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1786546407.00000180F1500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791970814.000000C001198000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1774754791.00000180F1720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791486951.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1790728531.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IxE6TjWjRM.exe PID: 6456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 6740, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	21 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IxE6TjWjRM.exe	50%	ReversingLabs	Win64.Adware.RedCap
IxE6TjWjRM.exe	58%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
85.244.212.106:2227	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://github.com/gabomdq/SDL_GameControllerDB	0%	Avira URL Cloud	safe
https://protobuf.dev/reference/go/faq#namespace-conflictnot	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://github.com/golang/protobuf/issues/1609):	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://github.com/golang/protobuf/issues/1609):	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://protobuf.dev/reference/go/faq#namespace-conflictnot	0%	Virustotal		Browse
https://github.com/gabomdq/SDL_GameControllerDB	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
85.244.212.106:2227	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/gabomdq/SDL_GameControllerDB	IxE6TjWjRM.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://protobuf.dev/reference/go/faq#namespace-conflictnot	IxE6TjWjRM.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/golang/protobuf/issues/1609):	IxE6TjWjRM.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BitLockerToGo.exe, 00000001.00000002.1896788084.000000000B674000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1984182709.000000000E526000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1951728606.000000000D586000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1814222655.000000000B2AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1935470910.000000000CD98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.212.106	unknown	Romania		9009	M247GB	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1477129
Start date and time:	2024-07-20 05:06:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IxE6TjWjRM.exe renamed because original name is a hash value
Original Sample Name:	51a74c9b3c860a932aea37b77d55c3dc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target IxE6TjWjRM.exe, PID 6456 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	3YHDfHLvo4.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141
	UrgentRequest_for_Quotations_.vbs	Get hash	malicious	GuLoader, Remcos	Browse	172.111.244.98
	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse	104.250.180.178
	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	104.250.180.178
	LMSIN2407028 - PO# 4500577338, by 1x40' HQ .pdf.scr.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse	104.250.180.178
	103.124.105.111-mips-2024-07-17T05_21_08.elf	Get hash	malicious	Mirai, Moobot	Browse	193.37.59.116
	https://login.hamgamtakhfif.ir/#afroditi.ladovrechis@innocap.com	Get hash	malicious	Unknown	Browse	91.202.233.193
	strathconaregistry policy for 2024 FYI.html	Get hash	malicious	HTMLPhisher	Browse	91.132.139.168
	strathconaregistry policy for 2024 FYI.html	Get hash	malicious	HTMLPhisher	Browse	91.132.139.168
	SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.066342015868415
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	IxE6TjWjRM.exe
File size:	15'064'064 bytes
MD5:	51a74c9b3c860a932aea37b77d55c3dc
SHA1:	e3cd015f08557d51eea53e4a38a97f647ae4778e
SHA256:	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83
SHA512:	4797412f939bbb87650ecf76b1ac7171f5e7ded7b5905e533cb3a43ac9d05376000352a4c99201e6fe486ee8a16f72abf946e68b8748dd7df135ffa402d1f0b1
SSDEEP:	49152:kz2yeHn4LzLdoW5fYrsfXPZLvhACVs4zXtjim8aJOyrwDX79spI8GFiAq9ajp8E/:3Hn4XiWfPZ1xptml7WYUEATH6Wlk
TLSH:	6EE65B47A9A145E8C49AD131C96692527A72BC888B7137D73F60FBA83F31BD09F38744
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.h?....................@.............................p......3.....`... ............................

File Icon


Icon Hash:	0d0ac413cc64924d

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x403ec080, 0x1, 0x403ec050, 0x1, 0x403efaf0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	c595f1660e1a3c84f4d9b0761d23cd7a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00E22515h]
mov dword ptr [eax], 00000001h
call 00007F02C47DFD4Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00E224F5h]
mov dword ptr [eax], 00000000h
call 00007F02C47DFD2Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F02C4BD59ECh
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F02C47E0069h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [eax]
inc edi
outsd
and byte ptr [edx+75h], ah
imul ebp, dword ptr [esp+20h], 203A4449h
and ah, byte ptr [ecx+33h]
push eax
jnc 00007F02C47E00BFh
xor al, 47h
push 0000006Bh
pop eax
push ebx
push esp
arpl word ptr [edi+67h], bx
pop edx
xor byte ptr [ecx+54h], dh
push ecx
das
popad
pop ecx
arpl word ptr [edx+32h], dx
inc esp
inc esp
inc edi
dec ebp
cmp dword ptr [ebp+4Bh], eax
xor ebp, dword ptr [edi+32h]
je 00007F02C47E00F1h
jne 00007F02C47E00C1h
js 00007F02C47E0109h
pop edi
push eax
xor al, 52h
push esi
push ebp
dec ebp
push eax
js 00007F02C47E00F7h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xecc000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xecd000	0x1458	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xed1000	0xf54f	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe25000	0x13014	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee1000	0x15edc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe23340	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xecd494	0x458	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3f6620	0x3f6800	4ef51018f438ed0d9826d825ae3dc3b5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3f8000	0xc5a30	0xc5c00	18974a04d0bc65cb0ac0ee2a3cee4122	False	0.1948384165613148	dBase III DBT, version number 0, next free block index 10, 1st item "srf\011v0.0.0-20231208113052-ec27b585939d\011h1:blQvN88QpJEUeogQWe7piyxS5q8jSmJ68OfO/hl66u4="	5.617640369231133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4be000	0x966170	0x966200	2612e76832f26d144541d62ee9d40522	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0xe25000	0x13014	0x13200	5dabfb4b8be93c41eb9453280da19e20	False	0.40548406862745096	data	5.549671106496767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0xe39000	0xc50	0xe00	65fe60a795cbe32edec6b6d011db4035	False	0.25864955357142855	data	3.992176142093356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0xe3a000	0x915a0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xecc000	0x4e	0x200	be615c338e96d6ad8030a0694e2a15d6	False	0.1328125	data	0.8426867641107897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0xecd000	0x1458	0x1600	f4112599a0f7789f408d36caa040ec00	False	0.29829545454545453	data	4.342567147953736	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xecf000	0x70	0x200	94c2b2111ff9064fbbb1c1992105ebf0	False	0.08203125	data	0.47139462148086453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xed0000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xed1000	0xf54f	0xf600	d804928748badf4419e5b76fb400c9be	False	0.2611788617886179	data	4.918156728157554	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xee1000	0x15edc	0x16000	2eb28f2a3f3edbc8a475f420292be12b	False	0.24212091619318182	data	5.428897402775958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xed1370	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.3575268817204301
RT_ICON	0xed1658	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.46959459459459457
RT_ICON	0xed1780	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.3683368869936034
RT_ICON	0xed2628	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.48014440433212996
RT_ICON	0xed2ed0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.6091040462427746
RT_ICON	0xed3438	0x1d65	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9215946843853821
RT_ICON	0xed51a0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.08478979688238072
RT_ICON	0xed93c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.12302904564315352
RT_ICON	0xedb970	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.14363905325443788
RT_ICON	0xedd3d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.175656660412758
RT_ICON	0xede480	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.25245901639344265
RT_ICON	0xedee08	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.2941860465116279
RT_ICON	0xedf4c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.3475177304964539
RT_GROUP_ICON	0xedf928	0xbc	data			0.6595744680851063
RT_VERSION	0xedf9e4	0x5e0	data			0.23670212765957446
RT_MANIFEST	0xedffc4	0x58b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.42212825933756165

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x140eca7d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-20T05:07:24.579180+0200	TCP	2048736	ET MALWARE PovertyStealer Exfiltration M3	49736	2227	192.168.2.4	185.244.212.106

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 20, 2024 05:07:24.563956976 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.569506884 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.572374105 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.572375059 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.572520971 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.578958988 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579024076 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579067945 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579108953 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579150915 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579180002 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.579180002 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.579313040 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.579583883 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579649925 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579693079 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579735994 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.579814911 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.584342957 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.584562063 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.585355043 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.585397959 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.585480928 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.585536003 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.585906982 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.585972071 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.586013079 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.586040974 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.586096048 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.630744934 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.631021976 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.678744078 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.678916931 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.726445913 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.728199005 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.774609089 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.774691105 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.822479010 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.822626114 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.870646000 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.870740891 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.918365955 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.918569088 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:24.970532894 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:24.970717907 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.227797985 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.227885008 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.227962017 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.228390932 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.233185053 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.233402967 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.233814001 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.233876944 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.233917952 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.233958960 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.233999014 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234039068 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234078884 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234080076 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234154940 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234199047 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234230995 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234239101 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234271049 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234280109 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234345913 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234366894 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234409094 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234447956 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234469891 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234492064 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234507084 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234558105 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234597921 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234616995 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234642029 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234700918 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234704018 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234769106 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234769106 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234812021 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234850883 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234884024 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.234913111 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234954119 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.234993935 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.235014915 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.235033989 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.235054970 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.235073090 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.235086918 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.235114098 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.235153913 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.235176086 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.235193968 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.235212088 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.236174107 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238012075 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238054991 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238076925 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238095999 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238149881 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238228083 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238286018 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238296032 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238346100 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238456964 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238503933 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238517046 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238544941 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238584995 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238600016 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238660097 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238681078 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238728046 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238768101 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238790035 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238822937 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238835096 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238864899 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238886118 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238919020 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.238928080 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.238969088 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.239007950 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.239034891 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.239069939 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240134954 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240176916 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240220070 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240242958 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240278959 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240282059 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240386963 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240427971 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240452051 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240488052 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240503073 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240544081 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240608931 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240662098 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240703106 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240751982 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240855932 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240896940 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.240911007 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240951061 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.240959883 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241003036 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241019011 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241044044 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241070986 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241086960 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241101980 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241151094 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241167068 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241193056 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241231918 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241238117 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241272926 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241276026 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241321087 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241338968 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241363049 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241404057 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241400957 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241450071 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241458893 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241489887 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241529942 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241554976 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241591930 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241594076 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241633892 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241673946 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241691113 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241714001 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241755009 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241776943 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241796017 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241807938 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241836071 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241877079 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241895914 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241918087 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.241935015 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.241959095 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242017984 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242019892 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242060900 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242106915 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242130995 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242149115 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242188931 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242211103 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242228031 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242247105 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242268085 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242276907 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242307901 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242347002 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242368937 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242405891 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242567062 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242662907 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242702961 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242731094 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242743969 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.242775917 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.242975950 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243036032 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243036985 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243099928 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243100882 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243143082 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243181944 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243194103 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243227005 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243233919 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243267059 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243293047 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243340969 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243382931 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243422985 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243447065 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243485928 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243526936 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243541002 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243567944 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243587017 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243611097 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243650913 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243660927 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243690968 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243731022 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243746042 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243793011 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243834019 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243853092 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243874073 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243887901 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.243915081 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243954897 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.243978977 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.244002104 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.244013071 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.244043112 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.244082928 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.244092941 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.244128942 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.244149923 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.244190931 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.244230032 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.244244099 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.244270086 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.244277954 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245249033 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245280027 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245306969 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245351076 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245353937 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245373011 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245402098 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245419979 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245433092 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245440006 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245455980 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245470047 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245476961 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245506048 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245507956 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245517969 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245541096 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245580912 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245585918 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245646954 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245666981 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245683908 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245703936 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245722055 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245731115 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245752096 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245774984 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245781898 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245800018 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245817900 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245839119 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245857954 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245857954 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245891094 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245902061 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.245919943 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245939016 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245954037 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.245985985 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.246018887 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.246037006 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.246087074 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247179985 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247240067 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247359991 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247378111 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247399092 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247416973 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247445107 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247468948 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247478962 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247489929 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247533083 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247549057 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247550011 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247601032 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247733116 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247750044 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247788906 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247833014 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247847080 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247864008 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247886896 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247915030 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247927904 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247929096 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247951031 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247972012 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.247977018 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.247989893 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.248017073 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.248045921 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.248063087 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.248065948 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.248084068 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.248092890 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.248110056 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.248132944 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.248162031 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249037027 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249094963 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249166012 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249232054 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249250889 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249269962 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249288082 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249320030 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249334097 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249336958 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249357939 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249376059 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249408960 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249409914 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249454021 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249469995 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249516010 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249536991 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249588966 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249650002 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249753952 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249772072 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249780893 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249795914 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249814034 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249818087 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249860048 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249860048 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249880075 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.249919891 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.249989033 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250035048 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250097990 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250118971 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250137091 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250159025 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250174046 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250178099 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250206947 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250241995 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250258923 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250272989 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250305891 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250350952 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250355005 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250394106 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250396967 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250415087 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250458956 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250488997 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250576019 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250592947 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250614882 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250633001 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250643969 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250672102 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250756025 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250823021 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.250880957 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250969887 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.250988960 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251017094 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251020908 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251070023 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251095057 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251113892 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251131058 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251157999 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251158953 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251176119 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251197100 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251235008 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251301050 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251319885 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251338005 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251355886 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251363039 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251374960 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251404047 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251410007 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251420975 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251441002 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251461029 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251487970 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251497984 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251516104 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251523018 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251533985 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251560926 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251578093 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251580000 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251600027 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251633883 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251636028 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251652002 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251674891 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251691103 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251703978 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251722097 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251739979 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251760960 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251764059 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251775980 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251805067 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251807928 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251844883 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251847029 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251863003 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251879930 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251909018 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251924992 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251928091 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251944065 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251966000 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.251971006 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.251983881 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252022982 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252026081 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252043962 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252062082 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252080917 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252090931 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252098083 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252139091 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252253056 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252269983 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252289057 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252305984 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252324104 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252340078 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252341986 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252372026 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252382040 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252389908 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252408028 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252424002 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252444029 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252465963 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252473116 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252502918 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252522945 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252538919 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252543926 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252559900 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252578974 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252585888 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252590895 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252619028 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252626896 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252645969 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252651930 CEST	49736	2227	192.168.2.4	185.244.212.106
Jul 20, 2024 05:07:25.252662897 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252682924 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252701044 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252717972 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252734900 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252749920 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252769947 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252809048 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252827883 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252844095 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252861023 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252882004 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252898932 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252916098 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252932072 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.252943993 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253103018 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253123045 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253145933 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253163099 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253197908 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253216028 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253242016 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253281116 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253323078 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253340006 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253360033 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253390074 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253407955 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253424883 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253443956 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253472090 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253487110 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253504992 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253534079 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253552914 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253568888 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253597021 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253613949 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253629923 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253648996 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253664970 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253694057 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253710985 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253731966 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253747940 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253765106 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253840923 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253856897 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253875971 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253895044 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.253910065 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254040956 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254057884 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254074097 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254093885 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254122972 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254139900 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254157066 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254168987 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254183054 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254198074 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254228115 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254267931 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254286051 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254304886 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254352093 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254367113 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254528999 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254540920 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254563093 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254579067 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254637957 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254653931 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254673004 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.254688025 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.264854908 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.409198046 CEST	2227	49736	185.244.212.106	192.168.2.4
Jul 20, 2024 05:07:25.410182953 CEST	49736	2227	192.168.2.4	185.244.212.106

Target ID:	0
Start time:	23:07:05
Start date:	19/07/2024
Path:	C:\Users\user\Desktop\IxE6TjWjRM.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\IxE6TjWjRM.exe"
Imagebase:	0x7ff694740000
File size:	15'064'064 bytes
MD5 hash:	51A74C9B3C860A932AEA37B77D55C3DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000003.1786546407.00000180F1500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.1791970814.000000C001198000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1789102261.000000C0005EA000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000003.1774754791.00000180F1720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.1791486951.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.1790728531.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:07:14
Start date:	19/07/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0xe90000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	27.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	355
Total number of Limit Nodes:	5

Executed Functions

Function 005820E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00583595: EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
Part of subcall function 00583595: GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
Part of subcall function 00583595: HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
Part of subcall function 00583595: LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

GetCurrentHwProfileA.ADVAPI32(?,?,0000011C), ref: 00582198
GetSystemInfo.KERNEL32(?,?,0000011C), ref: 005821BF
GlobalMemoryStatusEx.KERNEL32(?), ref: 005821F3
EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 00582275

Strings

- RAM: %d GB, xrefs: 0058220A
- VideoAdapter #%d: %s, xrefs: 00582241
@, xrefs: 005821EA
- HWID: %s, xrefs: 005821AC
- CPU: %s (%d cores), xrefs: 005821D1

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
API String ID: 3018433743-565344305
Opcode ID: 3660b586f6dad902dee8e9907eb40b52814d525f1ffa148a98a8c26166f33a0b
Instruction ID: 285921f3dcd03f7f4988e9221768e1178a8eca0566e6f2d26064f313f130a17e
Opcode Fuzzy Hash: 3660b586f6dad902dee8e9907eb40b52814d525f1ffa148a98a8c26166f33a0b
Instruction Fuzzy Hash: F44141716083059BD724EF14C889BABBFA8FBC8710F20492DFD55A7241E7709945CBA2

Function 00581D21 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0058475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0058489D), ref: 00584771
Part of subcall function 0058475F: LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,0058489D), ref: 0058477E

CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 00581DB6

Strings

CRYPT32.dll, xrefs: 00581D4F
Poverty is the parent of crime., xrefs: 00581D9F

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CryptDataHandleLibraryLoadModuleProtect
String ID: CRYPT32.dll$Poverty is the parent of crime.
API String ID: 1163816349-1885057629
Opcode ID: 74258ad5ab9eda60e575d337e0099a24f746c6c7d4020b3e20e97f33d08c7ee9
Instruction ID: 56b95f10ac5c964b357e27bd0d95d82e7e0e8ef0bec11c77b669ca0c388f8756
Opcode Fuzzy Hash: 74258ad5ab9eda60e575d337e0099a24f746c6c7d4020b3e20e97f33d08c7ee9
Instruction Fuzzy Hash: 53110BB5D0020DABDB10DF95C9859EEBFBCFB48310F10456AE945B3240E770AE0ACBA0

Function 005835C3 Relevance: 2.5, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,005826DC), ref: 005835CA
HeapFree.KERNEL32(00000000), ref: 005835D1

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0f2853ab5b3b27aef20a7d99c891ae40ab4b55b68e0737d579f9d90de0429dd0
Instruction ID: 8bd0e21d6c7d2c8afb5ce0ff76b611201196c0abd78704ea858e9697fe25089e
Opcode Fuzzy Hash: 0f2853ab5b3b27aef20a7d99c891ae40ab4b55b68e0737d579f9d90de0429dd0
Instruction Fuzzy Hash: 64B09270609104EAEE082BA09D0DB3A3A18BB18B02F202098BA02B54508A6885089B20

Function 00582282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(005884D4,00000DA3), ref: 00582297
CreateMutexA.KERNEL32(00000000,00000000,2eb14e5a-24b6-440f-9960-853ad1ecab73), ref: 005822AF
GetLastError.KERNEL32 ref: 005822C2

Strings

kernel32, xrefs: 00582439
$d.log, xrefs: 00582678
- UserAgent: %s, xrefs: 005825B3
shell32, xrefs: 005823E5
@, xrefs: 005825DE
$, xrefs: 005825FD
- OperationSystem: %d:%d:%d, xrefs: 0058232A
2eb14e5a-24b6-440f-9960-853ad1ecab73, xrefs: 005822A6, 00582612
Privat, xrefs: 005825F3

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$2eb14e5a-24b6-440f-9960-853ad1ecab73$@$Privat$kernel32$shell32
API String ID: 2005177960-1767218254
Opcode ID: fe4cca466d6f814d4c2d9da9a9292bb975df709b6cf321dfe23ea90f0bf718b7
Instruction ID: cc77e92c39134701571e3b96cb0276336cca479e2a1dc1afbf30b5bca8b5e6d3
Opcode Fuzzy Hash: fe4cca466d6f814d4c2d9da9a9292bb975df709b6cf321dfe23ea90f0bf718b7
Instruction Fuzzy Hash: F6C1CE3194424AAAEB10FBA4DC0EBBD7F75FB64704F500058ED01BA2E2EF754A49DB61

Function 00584C2D Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0058475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0058489D), ref: 00584771
Part of subcall function 0058475F: LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,0058489D), ref: 0058477E

GetSystemMetrics.USER32(0000004C,?,0000011C), ref: 00584C9E
GetSystemMetrics.USER32(0000004D,?,0000011C), ref: 00584CA5
ReleaseDC.USER32(00000000,00000000,?,?,0000011C), ref: 00584EA5

Part of subcall function 00583595: EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
Part of subcall function 00583595: GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
Part of subcall function 00583595: HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
Part of subcall function 00583595: LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

Part of subcall function 00583E03: EnterCriticalSection.KERNEL32(005884D4,?,0000011C), ref: 00583E15

Part of subcall function 005835C3: GetProcessHeap.KERNEL32(00000000,00000000,005826DC), ref: 005835CA
Part of subcall function 005835C3: HeapFree.KERNEL32(00000000), ref: 005835D1

Strings

6, xrefs: 00584D84
U, xrefs: 00584C5E
gdi3, xrefs: 00584C49
- ScreenSize: {lWidth=%d, lHeight=%d}, xrefs: 00584D28
2, xrefs: 00584C55
(, xrefs: 00584D78
er32, xrefs: 00584C65

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Heap$CriticalSection$EnterMetricsProcessSystem$AllocFreeHandleLeaveLibraryLoadModuleRelease
String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
API String ID: 1661398203-1028866296
Opcode ID: 478bd44a606caa52c1919e92f88c59de0d6cb57303f94545ed34116b3c8d16f4
Instruction ID: 696cd67867ed529b00be026735ee8fe4a975afc01b922d56c7e7c051382bddb2
Opcode Fuzzy Hash: 478bd44a606caa52c1919e92f88c59de0d6cb57303f94545ed34116b3c8d16f4
Instruction Fuzzy Hash: 0F719F71E00209EBDF20EBA5DC59FAEBBB9FF54700F104059E905BB291DB709A08DB65

Function 005844F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00584108: GetFileAttributesW.KERNEL32(00AAAAE8,00581035,00AAAAE8,?), ref: 00584109

Part of subcall function 00583595: EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
Part of subcall function 00583595: GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
Part of subcall function 00583595: HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
Part of subcall function 00583595: LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

EnterCriticalSection.KERNEL32(005884D4), ref: 00584580
LeaveCriticalSection.KERNEL32(005884D4), ref: 005845CC
EnterCriticalSection.KERNEL32(005884D4), ref: 0058464F
LeaveCriticalSection.KERNEL32(005884D4), ref: 00584688
EnterCriticalSection.KERNEL32(005884D4), ref: 005846C5
LeaveCriticalSection.KERNEL32(005884D4), ref: 00584708
EnterCriticalSection.KERNEL32(005884D4), ref: 00584721
LeaveCriticalSection.KERNEL32(005884D4), ref: 0058474A

Part of subcall function 00584377: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,005845FF), ref: 00584390
Part of subcall function 00584377: GetProcAddress.KERNEL32(00000000,?,?,?,?,005845FF), ref: 00584399
Part of subcall function 00584377: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,005845FF), ref: 005843AA
Part of subcall function 00584377: GetProcAddress.KERNEL32(00000000,?,?,?,?,005845FF), ref: 005843AD
Part of subcall function 00584377: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,005845FF), ref: 0058442F
Part of subcall function 00584377: GetCurrentProcess.KERNEL32(005845FF,00000000,00000000,00000002,?,?,?,?,005845FF), ref: 0058444B
Part of subcall function 00584377: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,005845FF), ref: 0058445A
Part of subcall function 00584377: CloseHandle.KERNEL32(005845FF,?,?,?,?,005845FF), ref: 0058448A

Part of subcall function 005835C3: GetProcessHeap.KERNEL32(00000000,00000000,005826DC), ref: 005835CA
Part of subcall function 005835C3: HeapFree.KERNEL32(00000000), ref: 005835D1

Strings

\??\%s, xrefs: 0058452F
\Network\Cookies, xrefs: 005845EC
@, xrefs: 00584566

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocAttributesCloseCurrentDuplicateFileFreeOpen
String ID: @$\??\%s$\Network\Cookies
API String ID: 3156071667-2791195959
Opcode ID: d21833ec3d95fc208ad2abdf7dc7a8c79265ec8e4b93f87e3dacb8f5d9bd32ab
Instruction ID: 446fa59f11d7bff087bb22bffd1d83dd957b8f256d9cf874d45ac6945b16c9ff
Opcode Fuzzy Hash: d21833ec3d95fc208ad2abdf7dc7a8c79265ec8e4b93f87e3dacb8f5d9bd32ab
Instruction Fuzzy Hash: D971F77194020AEFEB44AB90DC4ABBD7BB5FB48705F608055FD01BA2E1EB709A49DF50

Function 00581000 Relevance: 15.7, APIs: 2, Strings: 8, Instructions: 700
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00584108: GetFileAttributesW.KERNEL32(00AAAAE8,00581035,00AAAAE8,?), ref: 00584109

Part of subcall function 00583595: EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
Part of subcall function 00583595: GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
Part of subcall function 00583595: HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
Part of subcall function 00583595: LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

EnterCriticalSection.KERNEL32(005884D4), ref: 005816F5
LeaveCriticalSection.KERNEL32(005884D4), ref: 0058170E

Strings

$Lr, xrefs: 00581281
%s%s, xrefs: 0058150B, 00581854, 005819EA, 00581A4F
Telegram, xrefs: 005816FB
%s\%s, xrefs: 005811A2
7a?=, xrefs: 00581730
Discord/, xrefs: 005813AF
%s\*, xrefs: 0058112A
7a?=, xrefs: 00581364

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterHeapLeave$AllocAttributesFileProcess
String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$7a?=$Discord/$Telegram
API String ID: 2679619987-60960798
Opcode ID: 054a8dbe1c57d608cac9e9b468bbd557904b1dcbf982324f92def100cffc0ed1
Instruction ID: 3887f9b3ec2445a14499f2a3175d11452e14883e6c0ab0901f2ff8e217ca088b
Opcode Fuzzy Hash: 054a8dbe1c57d608cac9e9b468bbd557904b1dcbf982324f92def100cffc0ed1
Instruction Fuzzy Hash: 2E323671E006155ADF24BBA4C845BBDBBB9FF90700F14405AEC05F72A1EF748E868B99

Function 005848D6 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 231
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,00582351), ref: 005848F7

Part of subcall function 0058475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0058489D), ref: 00584771
Part of subcall function 0058475F: LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,0058489D), ref: 0058477E

GetCurrentProcess.KERNEL32(Q#X), ref: 0058496B
IsWow64Process.KERNEL32(00000000), ref: 00584972

Strings

l, xrefs: 00584917
ntdl, xrefs: 00584914
ntdllQ#X, xrefs: 00584985
Q#X, xrefs: 00584964, 0058497A, 0058496A

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
String ID: Q#X$l$ntdl$ntdllQ#X
API String ID: 1207166019-2861492682
Opcode ID: 23087d37bb09941d73944226a332bd403d3ad34aceaa2c3d7170fa94eb95158e
Instruction ID: 1aeee5ee4e47182b8c7e0ba92deff7e9daef2a23f6a0a4ce3497a0a9089df000
Opcode Fuzzy Hash: 23087d37bb09941d73944226a332bd403d3ad34aceaa2c3d7170fa94eb95158e
Instruction Fuzzy Hash: 5381A631645303D6EF24AF14EC557793BAAFB20718F60581AEE05BB2E1DBB48D889F05

Function 00581FBA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32 ref: 0058201D
GetKeyboardLayoutList.USER32(00000032,?), ref: 0058207F

Strings

- KeyboardLayouts: ( , xrefs: 00582068
), xrefs: 005820CF
- SystemLayout %d, xrefs: 00582059
{%d} , xrefs: 005820B2

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: DefaultKeyboardLanguageLayoutListUser
String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
API String ID: 167087913-619012376
Opcode ID: f397a81794e3872aa0d8118af0f240419affa4398483cd029f7b49e2f4c66f03
Instruction ID: 524ead09eac188d18788ecff5699dba3fbb2a97f326ef7a8aa1103cac0b285f5
Opcode Fuzzy Hash: f397a81794e3872aa0d8118af0f240419affa4398483cd029f7b49e2f4c66f03
Instruction Fuzzy Hash: BE31926090829CE9DB006FE8D4057BDBF70FF14701F105496F948F6282E6398B49D76A

Function 00584EB2 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00584108: GetFileAttributesW.KERNEL32(00AAAAE8,00581035,00AAAAE8,?), ref: 00584109

EnterCriticalSection.KERNEL32(005884D4), ref: 00585014

Part of subcall function 00584EB2: LeaveCriticalSection.KERNEL32(005884D4), ref: 00585031

Strings

Telegram, xrefs: 0058501A
%s\%s, xrefs: 00584F72
%s\*, xrefs: 00584F42

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CriticalSection$AttributesEnterFileLeave
String ID: %s\%s$%s\*$Telegram
API String ID: 4087703252-4994844
Opcode ID: 11575bc89c71e4c004f5ed115f3fa57fe7a7c28c4ce0853ab8332dd18a812b5f
Instruction ID: 805e934779e239564d74dbd1d415323d0af3df2a8f64e8a50a33547cab919f39
Opcode Fuzzy Hash: 11575bc89c71e4c004f5ed115f3fa57fe7a7c28c4ce0853ab8332dd18a812b5f
Instruction Fuzzy Hash: FBA18521A14309A9EF10EBA0EC0ABBD7775FF94710F20545AED04FB2A0FAB14E45C75A

Function 005853F8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

106, xrefs: 0058557B, 0058557F
185.244.212.106, xrefs: 00585523
ws2_32.dll, xrefs: 00585473

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: 106$185.244.212.106$ws2_32.dll
API String ID: 4133054770-2093737415
Opcode ID: 9011013e62b7e1189199b3bbb5cc46249c8bc946c7a55ff542b2e6d0220f5dd4
Instruction ID: 8224d84c75c7e7a6695947a28cdae46c57ff8cf6f58691548fa69695457019c2
Opcode Fuzzy Hash: 9011013e62b7e1189199b3bbb5cc46249c8bc946c7a55ff542b2e6d0220f5dd4
Instruction Fuzzy Hash: A951F530C04289EDEF029BE8D8097EDBFB8AF15314F544489EA60BE1C1D7B5474ACB61

Function 0058475F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0058489D), ref: 00584771
LoadLibraryA.KERNEL32(ntdl,?,?,?,?,?,?,?,0058489D), ref: 0058477E

Strings

ntdl, xrefs: 0058476C, 0058477D

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: ntdl
API String ID: 4133054770-3973061744
Opcode ID: 1e12de61d7f05b12fba421060c0f33d3a110948b3d8331496f0317c9b6313f62
Instruction ID: 23fc950f69e0604047b51c6b799cc3b9e3816ed309f48fb263d6a6a66634d9a9
Opcode Fuzzy Hash: 1e12de61d7f05b12fba421060c0f33d3a110948b3d8331496f0317c9b6313f62
Instruction Fuzzy Hash: E331BA35E00656DBCB24EFA9C894ABDBBB0FB89700F15029ADC55B7341D734A952CFA0

Function 00583595 Relevance: 5.0, APIs: 4, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID:
API String ID: 285244410-0
Opcode ID: 1dba3b4bf4c0bfa5bb81370b7e2c8c525178bfc9f36c6afd3a40a1bef37442a0
Instruction ID: f34e3b163bd3b487bb20187d6da09ee37ac6832aab0c8d7bc50a367ead21d36a
Opcode Fuzzy Hash: 1dba3b4bf4c0bfa5bb81370b7e2c8c525178bfc9f36c6afd3a40a1bef37442a0
Instruction Fuzzy Hash: A1D09B33504114D7CB5017E97C0D9ABAE6CFFA96617251055F905F7160C97488099B60

Function 00584108 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00AAAAE8,00581035,00AAAAE8,?), ref: 00584109

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6d0f895f99b19031a7d2c0d484b7650e6b5b0d57db460f859cc3ea7efd3fd1ee
Instruction ID: f430b5f8cc8a1f5491cc7c9bc6310f1c41435bdc615affabafecffb9d1508a77
Opcode Fuzzy Hash: 6d0f895f99b19031a7d2c0d484b7650e6b5b0d57db460f859cc3ea7efd3fd1ee
Instruction Fuzzy Hash: B2A02238030300CBCA2C03300F2E00E30000E2E2F03320B8CB033EC0E0EB28C2802A00

Non-executed Functions

Function 00584377 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,005845FF), ref: 00584390
GetProcAddress.KERNEL32(00000000,?,?,?,?,005845FF), ref: 00584399
GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,005845FF), ref: 005843AA
GetProcAddress.KERNEL32(00000000,?,?,?,?,005845FF), ref: 005843AD

Part of subcall function 00583595: EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
Part of subcall function 00583595: GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
Part of subcall function 00583595: HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
Part of subcall function 00583595: LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,005845FF), ref: 0058442F
GetCurrentProcess.KERNEL32(005845FF,00000000,00000000,00000002,?,?,?,?,005845FF), ref: 0058444B
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,005845FF), ref: 0058445A
CloseHandle.KERNEL32(005845FF,?,?,?,?,005845FF), ref: 0058448A
GetCurrentProcess.KERNEL32(005845FF,00000000,00000000,00000001,?,?,?,?,005845FF), ref: 00584498
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,005845FF), ref: 005844A7
CloseHandle.KERNEL32(?,?,?,?,?,005845FF), ref: 005844BA
CloseHandle.KERNEL32(000000FF), ref: 005844DD
CloseHandle.KERNEL32(?), ref: 005844E5

Strings

NtQueryObject, xrefs: 0058439B
ntdll, xrefs: 0058438B, 005843A2
NtQuerySystemInformation, xrefs: 00584386

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocEnterLeaveOpen
String ID: NtQueryObject$NtQuerySystemInformation$ntdll
API String ID: 4050662462-2044536123
Opcode ID: 8e7a53e64973dd1fa5f97b7d66e30c5c52134f5f0321f3bc8e9259774cad83cf
Instruction ID: 7e60c3a4a0243d0e779d16650dbce62a454bc51fd1f256f27cfda8c872175018
Opcode Fuzzy Hash: 8e7a53e64973dd1fa5f97b7d66e30c5c52134f5f0321f3bc8e9259774cad83cf
Instruction Fuzzy Hash: 24415071A0021AABDF10ABE58C48AAEBFB9FF58710F244165ED05F21A0DB74DE44DF60

Function 00582A1E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00582B09

Strings

(null), xrefs: 00582B9A
(null), xrefs: 00582C14
0123456789abcdef, xrefs: 00582A7E
0123456789ABCDEF, xrefs: 00582A85

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-1267642376
Opcode ID: ed7fe158dd1065c6e12320c5cd46c6d9558ccbc69d48d9f320e4ca48bac540cc
Instruction ID: 64bf281479bc0a8a74287f94298704d7e43d932a98ef608a4d30ff8a370d26a0
Opcode Fuzzy Hash: ed7fe158dd1065c6e12320c5cd46c6d9558ccbc69d48d9f320e4ca48bac540cc
Instruction Fuzzy Hash: F5919F706047029FCB25EF19C48063ABFE5FF88344F24896EE89AA7661D370EC80CB41

Function 00583111 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

x, xrefs: 00583451

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 866957c534a567071c84aeb30dd52540072e3e9861d4b022cd183e4bb707c7ef
Instruction ID: a758baf9e15ed4761a540d424705e063979568aaf9cba69540bf0e572eefe42b
Opcode Fuzzy Hash: 866957c534a567071c84aeb30dd52540072e3e9861d4b022cd183e4bb707c7ef
Instruction Fuzzy Hash: 84029F74E0424AEFCB45EF98C985AADBBF4FF09704F108856E826EB250D734AA51CF51

Function 00582C95 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

Part of subcall function 00583595: EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
Part of subcall function 00583595: GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
Part of subcall function 00583595: HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
Part of subcall function 00583595: LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00582ECA

Strings

6#X, xrefs: 00582F4A

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocByteCharEnterLeaveMultiProcessWide
String ID: 6#X
API String ID: 2065145328-79621783
Opcode ID: 1495197dcd3cd4b53703bd5ad36355fa1f99c7465e798cd50d29ec22bd2c1d45
Instruction ID: 469bd14ff258afcb3dd2c30043b06ec21739ec7aa22ae01c70623e22aad065e3
Opcode Fuzzy Hash: 1495197dcd3cd4b53703bd5ad36355fa1f99c7465e798cd50d29ec22bd2c1d45
Instruction Fuzzy Hash: D5029D74A04249EFCF41EFA8C985AADBFF0BB09314F148495E865FB250D734AA41CF65

Function 00583DA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,00583E4E,00000000,?,0000011C), ref: 00583DC1

Part of subcall function 00583595: EnterCriticalSection.KERNEL32(005884D4,?,?,00583C72,?,005822DE), ref: 0058359F
Part of subcall function 00583595: GetProcessHeap.KERNEL32(00000008,?,?,?,00583C72,?,005822DE), ref: 005835A8
Part of subcall function 00583595: HeapAlloc.KERNEL32(00000000,?,?,?,00583C72,?,005822DE), ref: 005835AF
Part of subcall function 00583595: LeaveCriticalSection.KERNEL32(005884D4,?,?,?,00583C72,?,005822DE), ref: 005835B8

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,00583E4E,00000000,?,0000011C), ref: 00583DF7

Strings

$d.log, xrefs: 00583DB8, 00583DF0

Memory Dump Source

Source File: 00000001.00000002.1888018787.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_580000_BitLockerToGo.jbxd

Yara matches

Similarity

API ID: ByteCharCriticalHeapMultiSectionWide$AllocEnterLeaveProcess
String ID: $d.log
API String ID: 1918158005-1910398676
Opcode ID: e55ab66bfdfc804a0f5f91c77becae78c89c76211c310906885863f9f61b9624
Instruction ID: 0c08e2c13c96ea110b59abd9ead0d4b2e1bc9dc7382be5ef2b9f7e802fef2ccd
Opcode Fuzzy Hash: e55ab66bfdfc804a0f5f91c77becae78c89c76211c310906885863f9f61b9624
Instruction Fuzzy Hash: 33F0E2B1201121BFA3246A6ADC4DC777FACEBC5BB03044229FC28EF2D0D9609C0097B0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IxE6TjWjRM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Poverty Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
IxE6TjWjRM.exe

Function 005820E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Function 00581D21 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69
encryptionCOMMON

Function 005835C3 Relevance: 2.5, APIs: 2, Instructions: 8
memoryCOMMON

Function 00582282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Function 00584C2D Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 208
COMMON

Function 005844F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Function 00581000 Relevance: 15.7, APIs: 2, Strings: 8, Instructions: 700
COMMON

Function 005848D6 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 231
memoryCOMMON

Function 00581FBA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84
COMMON

Function 00584EB2 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 286
COMMON

Function 005853F8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 139
COMMON

Function 0058475F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Function 00583595 Relevance: 5.0, APIs: 4, Instructions: 18
memoryCOMMON