Edit tour

Windows Analysis Report
F7fahhucBo.exe

Overview

General Information

Sample name:	F7fahhucBo.exe renamed because original name is a hash value
Original sample name:	ac83ee8e909f55b86251b145cfa42c66.exe
Analysis ID:	1484483
MD5:	ac83ee8e909f55b86251b145cfa42c66
SHA1:	ca465e5d157330d98feac14a18f6a252162cd270
SHA256:	bc4a818268862ec3af1e56dd94c9958e18bde15be09e9412a802903c3ff6dacd
Tags:	32exe
Infos:

Detection

Poverty Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Poverty Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to query CPU information (cpuid)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

F7fahhucBo.exe (PID: 564 cmdline: "C:\Users\user\Desktop\F7fahhucBo.exe" MD5: AC83EE8E909F55B86251B145CFA42C66)

CasPol.exe (PID: 1104 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Configuration

Threatname: Poverty Stealer

{"C2 url": "85.244.212.106:2227"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000002.1265265580.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: F7fahhucBo.exe PID: 564	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 1104	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.CasPol.exe.400000.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.F7fahhucBo.exe.2aee300.1.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.F7fahhucBo.exe.2ae6ca4.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.F7fahhucBo.exe.2af6308.2.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.F7fahhucBo.exe.2af6308.2.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
2.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.F7fahhucBo.exe.2aee300.1.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.F7fahhucBo.exe.2ae6ca4.0.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-30T07:25:47.654438+0200
SID:	2022930
Source Port:	443
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE PovertyStealer Exfiltration M3 - Source IP: 192.168.2.7 - Destination IP: 185.244.212.106

Timestamp:	2024-07-30T07:24:54.370940+0200
SID:	2048736
Source Port:	49702
Destination Port:	2227
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-30T07:25:05.314234+0200
SID:	2022930
Source Port:	443
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: F7fahhucBo.exe

Avira: detected

Found malware configuration

Source: 0.2.F7fahhucBo.exe.2af6308.2.unpack

Malware Configuration Extractor: Poverty Stealer {"C2 url": "85.244.212.106:2227"}

Multi AV Scanner detection for submitted file

Source: F7fahhucBo.exe	Virustotal: Detection: 50%			Perma Link
Source: F7fahhucBo.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: F7fahhucBo.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 2_2_00401D21 CryptUnprotectData,CryptProtectData,

2_2_00401D21

Source: F7fahhucBo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: CasPol.exe, 00000002.00000002.1373118694.000000000AA7D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1352116648.0000000009730000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1355601662.0000000009BD9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1398986542.000000000BBAE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1373118694.000000000AA72000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1362538204.000000000A258000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5DA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2CF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1524823685.000000000EF8F000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1498869793.000000000E72E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1414043221.000000000C44C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1352780051.00000000098A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: CasPol.exe, 00000002.00000002.1373118694.000000000AA7D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1398986542.000000000BBAE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1362538204.000000000A258000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5DA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1524823685.000000000EF89000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1498869793.000000000E72E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1414043221.000000000C44C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ..pdbd source: CasPol.exe, 00000002.00000002.1423070914.000000000C9F5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1464732840.000000000DB6B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1394768890.000000000B8E6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1381378304.000000000B002000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1489563308.000000000E3C5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1407408447.000000000C15C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1445493849.000000000D28E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1515767209.000000000EC9A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1359488355.000000000A024000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1368605605.000000000A79A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx6 source: CasPol.exe, 00000002.00000002.1352116648.0000000009730000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1355601662.0000000009BD9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1398986542.000000000BBAE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1373118694.000000000AA72000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1362538204.000000000A258000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2CF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1524823685.000000000EF8F000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1498869793.000000000E72E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1414043221.000000000C44C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1352780051.00000000098A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: CasPol.exe, 00000002.00000002.1351204271.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00401DC9 FindFirstFileW,FindNextFileW,	2_2_00401DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00404EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	2_2_00404EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00404145 FindFirstFileW,FindNextFileW,	2_2_00404145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00403F87 FindFirstFileW,FindNextFileW,	2_2_00403F87

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 85.244.212.106:2227

Source: global traffic

TCP traffic: 192.168.2.7:49702 -> 185.244.212.106:2227

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106

Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ic
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.sea
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chromL
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chro
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bing.co
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 2_2_00404C2D GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,

2_2_00404C2D

System Summary

.NET source code contains very large strings

Source: F7fahhucBo.exe, Program.cs

Long String: Length: 40300

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Code function: 0_2_029219C0

0_2_029219C0

Source: F7fahhucBo.exe, 00000000.00000002.1264643748.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs F7fahhucBo.exe
Source: F7fahhucBo.exe, 00000000.00000000.1262952876.0000000000832000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNetStub.exe0 vs F7fahhucBo.exe
Source: F7fahhucBo.exe	Binary or memory string: OriginalFilenameNetStub.exe0 vs F7fahhucBo.exe

Source: F7fahhucBo.exe, Program.cs

Base64 encoded string: 'QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2NC4wLjMwMzE5XENhc1BvbC5leGU='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/1

Source: C:\Users\user\Desktop\F7fahhucBo.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F7fahhucBo.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\F7fahhucBo.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\0060cbb5-1dbd-468c-b2ba-03be756aa1c1

Source: F7fahhucBo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F7fahhucBo.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CasPol.exe, 00000002.00000002.1500480152.000000000E788000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: F7fahhucBo.exe	Virustotal: Detection: 50%
Source: F7fahhucBo.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\F7fahhucBo.exe "C:\Users\user\Desktop\F7fahhucBo.exe"
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior

Source: F7fahhucBo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: F7fahhucBo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: CasPol.exe, 00000002.00000002.1373118694.000000000AA7D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1352116648.0000000009730000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1355601662.0000000009BD9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1398986542.000000000BBAE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1373118694.000000000AA72000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1362538204.000000000A258000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5DA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2CF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1524823685.000000000EF8F000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1498869793.000000000E72E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1414043221.000000000C44C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1352780051.00000000098A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: CasPol.exe, 00000002.00000002.1373118694.000000000AA7D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1398986542.000000000BBAE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1362538204.000000000A258000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5DA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1524823685.000000000EF89000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1498869793.000000000E72E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1414043221.000000000C44C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ..pdbd source: CasPol.exe, 00000002.00000002.1423070914.000000000C9F5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1464732840.000000000DB6B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1394768890.000000000B8E6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1381378304.000000000B002000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1489563308.000000000E3C5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1407408447.000000000C15C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1445493849.000000000D28E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1515767209.000000000EC9A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1359488355.000000000A024000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1368605605.000000000A79A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx6 source: CasPol.exe, 00000002.00000002.1352116648.0000000009730000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1355601662.0000000009BD9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1452918072.000000000D5D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1398986542.000000000BBAE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1373118694.000000000AA72000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1362538204.000000000A258000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1386828744.000000000B2CF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1524823685.000000000EF8F000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1472365915.000000000DE5C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1498869793.000000000E72E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1429763194.000000000CCE6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1414043221.000000000C44C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1352780051.00000000098A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: CasPol.exe, 00000002.00000002.1351204271.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp

Source: F7fahhucBo.exe

Static PE information: 0xD0BCD7F5 [Sat Dec 21 20:03:01 2080 UTC]

Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_2-2312

Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory allocated: 4AA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\F7fahhucBo.exe TID: 4852

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00401DC9 FindFirstFileW,FindNextFileW,	2_2_00401DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00404EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	2_2_00404EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00404145 FindFirstFileW,FindNextFileW,	2_2_00404145
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 2_2_00403F87 FindFirstFileW,FindNextFileW,	2_2_00403F87

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 2_2_004020E1 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

2_2_004020E1

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: CasPol.exe, 00000002.00000002.1353544419.000000000999D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.co..microsoft.visualstudio.comVMware20,11696492231x
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1353544419.000000000999D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: CasPol.exe, 00000002.00000002.1491254995.000000000E45C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: CasPol.exe, 00000002.00000002.1414962318.000000000C4C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: CasPol.exe, 00000002.00000002.1502505042.000000000E890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 2_2_004035C3 GetProcessHeap,RtlFreeHeap,

2_2_004035C3

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: F7fahhucBo.exe, MTD.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: F7fahhucBo.exe, MTD.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: F7fahhucBo.exe, MTD.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: F7fahhucBo.exe, MTD.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: F7fahhucBo.exe, MTD.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, payload, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 407000	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 408000	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 409000	Jump to behavior
Source: C:\Users\user\Desktop\F7fahhucBo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: C74008	Jump to behavior

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 2_2_004020E1 cpuid

2_2_004020E1

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Queries volume information: C:\Users\user\Desktop\F7fahhucBo.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\F7fahhucBo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Poverty Stealer

Source: Yara match	File source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2aee300.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2ae6ca4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2af6308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2af6308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2aee300.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2ae6ca4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1265265580.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F7fahhucBo.exe PID: 564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1104, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Poverty Stealer

Source: Yara match	File source: 2.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2aee300.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2ae6ca4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2af6308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2af6308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2aee300.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F7fahhucBo.exe.2ae6ca4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1265265580.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F7fahhucBo.exe PID: 564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 1104, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F7fahhucBo.exe	51%	Virustotal		Browse
F7fahhucBo.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
F7fahhucBo.exe	100%	Avira	TR/Dropper.Gen
F7fahhucBo.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/?q=	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://www.bing.co	0%	Virustotal		Browse
https://www.bing.co	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
85.244.212.106:2227	0%	Avira URL Cloud	safe
https://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/sugg/chromL	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ic	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://duckduckgo.com/chro	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.sea	0%	Avira URL Cloud	safe
https://www.ecosia.org/search?q=	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://duckduckgo.com/chro	1%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
85.244.212.106:2227	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/?q=	CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.bing.co	CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/search?q=	CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chromL	CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ic	CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	CasPol.exe, 00000002.00000002.1527095126.000000000F017000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	CasPol.exe, 00000002.00000002.1353318658.0000000009946000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1399914660.000000000BC70000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1356160255.0000000009C9E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1431024556.000000000CDAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000002.00000002.1363507875.000000000A32D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chro	CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.sea	CasPol.exe, 00000002.00000002.1491036729.000000000E43A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.212.106	unknown	Romania		9009	M247GB	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1484483
Start date and time:	2024-07-30 07:23:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F7fahhucBo.exe renamed because original name is a hash value
Original Sample Name:	ac83ee8e909f55b86251b145cfa42c66.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.212.106	IxE6TjWjRM.exe	Get hash	malicious	Poverty Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	COMANDA BELOR NR13 DIN 240715.xls	Get hash	malicious	Remcos	Browse	194.187.251.115
	AKPSrAWl2G.elf	Get hash	malicious	Mirai	Browse	193.32.99.139
	5oXS6HtbzC.elf	Get hash	malicious	Mirai	Browse	185.90.60.83
	AWD 490104998518.xls	Get hash	malicious	Remcos	Browse	194.187.251.115
	danabot.exe	Get hash	malicious	DanaBot	Browse	172.86.76.246
	danabot.exe	Get hash	malicious	DanaBot	Browse	172.86.76.246
	file.exe	Get hash	malicious	SystemBC	Browse	89.238.188.232
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	38.207.19.49
	LisectAVT_2403002B_374.exe	Get hash	malicious	XenoRAT	Browse	37.120.141.155
	LisectAVT_2403002B_374.exe	Get hash	malicious	XenoRAT	Browse	37.120.141.155

Process:	C:\Users\user\Desktop\F7fahhucBo.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.306187851644185
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	F7fahhucBo.exe
File size:	92'160 bytes
MD5:	ac83ee8e909f55b86251b145cfa42c66
SHA1:	ca465e5d157330d98feac14a18f6a252162cd270
SHA256:	bc4a818268862ec3af1e56dd94c9958e18bde15be09e9412a802903c3ff6dacd
SHA512:	dcd57a67726525d5f12d19a37e65eb4de5539599efa7a9781c008eda1b710172f44a79603ebd15b42707210091a1b6cfefec2959d71efbcfaf59914a3e380323
SSDEEP:	1536:WWayDEpCdzqHFv8FIcHFbd8iZyACQk6r4L8mPaNJNUzLata/fn:WWayDEpC4vTclTycke4o0aNzUF3
TLSH:	2B933C243EFA502AF173EF765BE87996DA6FB6332B07A45E109003460B23A81DDD153D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..^...........}... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x417dee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD0BCD7F5 [Sat Dec 21 20:03:01 2080 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17d94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15df4	0x15e00	ff56ef7f8709c10d6b2dcd878adc19f9	False	0.5005022321428572	data	4.316094119837649	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x596	0x600	92b255ce996701e84bb56ddf4acad581	False	0.4114583333333333	data	4.045231581385585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	3e4b63f141f3557c9f3a8194cdc25afa	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x180a0	0x30c	data			0.4230769230769231
RT_MANIFEST	0x183ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-30T07:25:47.654438+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49709	20.114.59.183	192.168.2.7
2024-07-30T07:24:54.370940+0200	TCP	2048736	ET MALWARE PovertyStealer Exfiltration M3	49702	2227	192.168.2.7	185.244.212.106
2024-07-30T07:25:05.314234+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49703	20.114.59.183	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 30, 2024 07:24:54.360233068 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.365083933 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.365185976 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.365236044 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.365526915 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.370008945 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370066881 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.370666981 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370692015 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370711088 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370721102 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370740891 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370759964 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370769024 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370779037 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.370939970 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.374778032 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.374830008 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.374870062 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.374919891 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.375705004 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.375751972 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.375790119 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.375838995 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.375854969 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.375864029 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.375874043 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.375916004 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.418363094 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.418490887 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.466238976 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.466371059 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.514143944 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.514216900 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.562203884 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.562269926 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.611331940 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.611397028 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.662163019 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.662223101 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.710433960 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.710491896 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.758155107 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.758212090 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.806170940 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.806241035 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.826076031 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.826256990 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831182957 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831204891 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831243992 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831265926 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831268072 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831275940 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831295013 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831304073 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831320047 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831357956 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831394911 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831407070 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831440926 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831450939 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831500053 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831509113 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831554890 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831593037 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831603050 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831619978 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831629038 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831635952 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831638098 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831646919 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831705093 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831718922 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831763983 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831765890 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831773996 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831783056 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831800938 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831816912 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831824064 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831840992 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831868887 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831904888 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831929922 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831974030 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.831975937 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.831984043 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.832000971 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.832025051 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.832050085 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.832056046 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.832102060 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.832118988 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.832128048 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.832160950 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.832202911 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.832250118 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836128950 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836142063 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836159945 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836180925 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836206913 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836251974 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836261034 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836299896 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836317062 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836340904 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836357117 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836385012 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836400986 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836401939 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836442947 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836452007 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836498022 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836585999 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836595058 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836606979 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836648941 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836687088 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836698055 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836707115 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836715937 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836734056 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836735010 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836745024 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836761951 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836771011 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836786985 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836800098 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836803913 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836808920 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836817980 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836842060 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836852074 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836854935 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836896896 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836906910 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836909056 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836947918 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.836975098 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.836987019 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837004900 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837013960 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837016106 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837049961 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837058067 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837093115 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837116003 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837156057 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837157965 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837167025 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837176085 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837201118 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837217093 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837222099 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837227106 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837236881 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837266922 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837271929 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837279081 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837282896 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837301016 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837311029 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837316036 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837321043 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837327957 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837331057 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837359905 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837362051 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837369919 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837377071 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837387085 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837395906 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837416887 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837424040 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837431908 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837434053 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837476969 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837486029 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837486029 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837496996 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837519884 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837533951 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837541103 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837549925 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837562084 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837573051 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837605000 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837697029 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837707043 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837714911 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837723970 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837733030 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837742090 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837760925 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837763071 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837775946 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837775946 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837785959 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837800026 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837810040 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837811947 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837826014 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837826967 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837831974 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837841034 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.837843895 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.837886095 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841087103 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841120958 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841130018 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841134071 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841146946 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841173887 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841182947 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841197968 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841211081 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841222048 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841223001 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841259003 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841273069 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841305017 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841315031 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841361046 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841362000 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841372013 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841386080 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841406107 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841423988 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841432095 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841443062 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841444016 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841469049 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841475964 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841478109 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841500998 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841516018 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841523886 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841540098 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841583014 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841593027 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841605902 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841615915 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841631889 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841638088 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841650009 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841670990 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841672897 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841702938 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841794014 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841803074 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841836929 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841847897 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841855049 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841864109 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841875076 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841883898 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841906071 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841916084 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841927052 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841934919 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841934919 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841945887 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841970921 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841974974 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841979980 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.841991901 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.841999054 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842009068 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842015982 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842068911 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842071056 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842077971 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842087030 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842112064 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842119932 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842128992 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842133999 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842137098 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842173100 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842181921 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842183113 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842207909 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842216969 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842227936 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842268944 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842273951 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842291117 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842318058 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842331886 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842374086 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842384100 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842426062 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842454910 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842466116 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842474937 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842489004 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842509031 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842509985 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842533112 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842542887 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842547894 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842554092 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842577934 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842587948 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842596054 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842605114 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842616081 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842618942 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842633963 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842652082 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842659950 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842669964 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842684984 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842694044 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842701912 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842737913 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842766047 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842777014 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842787981 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842811108 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842812061 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842833996 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842853069 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842914104 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842924118 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842931032 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842953920 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842962980 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842964888 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842981100 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.842998028 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.842998981 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843008995 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843019009 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843028069 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843029976 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843044996 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843060970 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843066931 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843080044 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843087912 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843097925 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843099117 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843127012 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843137980 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843151093 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843159914 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843199968 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843209982 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843219995 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843239069 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843249083 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843257904 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843283892 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843292952 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843301058 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843331099 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843349934 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843358994 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843389034 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843394995 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843398094 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843426943 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843436003 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843453884 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843478918 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843491077 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843504906 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843533039 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843544006 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843553066 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843559980 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843564034 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843588114 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843606949 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843621969 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843631029 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843637943 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843647003 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843674898 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843681097 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843689919 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843694925 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843698025 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843717098 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843719959 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843727112 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843734980 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843743086 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843743086 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843790054 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843811989 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843822956 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843831062 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843835115 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843852043 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843861103 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843863010 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843868971 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843879938 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843894958 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843914986 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843920946 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843935966 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.843969107 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.843991995 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844070911 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844080925 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844089031 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844109058 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844118118 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844124079 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844125986 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844136000 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844136000 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844146013 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844163895 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844175100 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844177008 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844183922 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844192982 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844193935 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844211102 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844227076 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844234943 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.844240904 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844258070 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.844302893 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.845984936 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846035004 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846049070 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846059084 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846066952 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846091986 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846112967 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846126080 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846136093 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846191883 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846194983 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846204996 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846215010 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846240044 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846256018 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846256018 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846266031 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846313953 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846415043 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846425056 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846462965 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846466064 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846476078 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846483946 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846487045 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846497059 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846515894 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846518993 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846534967 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846544027 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846545935 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846553087 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846556902 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846585989 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846590996 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846596956 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846606970 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846616030 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846636057 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846648932 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846658945 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846673965 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846692085 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846702099 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846704006 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846715927 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846719980 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846734047 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846749067 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846771955 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846793890 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846795082 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846805096 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846816063 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846841097 CEST	49702	2227	192.168.2.7	185.244.212.106
Jul 30, 2024 07:24:54.846887112 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846899986 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846910954 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846929073 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846937895 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846963882 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.846972942 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847045898 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847064972 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847074032 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847084045 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847196102 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847206116 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847214937 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847235918 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847244978 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847260952 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847270012 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847274065 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847294092 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847304106 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847374916 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847384930 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847410917 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847446918 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847460032 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847553015 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847563028 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847580910 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847589970 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847599030 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847631931 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847641945 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847651005 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847729921 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847757101 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847780943 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847790003 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847809076 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847819090 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847827911 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847899914 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847929001 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847960949 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847970009 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847979069 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.847982883 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848027945 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848045111 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848054886 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848066092 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848170042 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848179102 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848223925 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848233938 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848275900 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848285913 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848352909 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848362923 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848381996 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848392010 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848445892 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848455906 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848469973 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848494053 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848550081 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848560095 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848592043 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848670959 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848680019 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848690987 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848709106 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848721981 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848777056 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848787069 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848850012 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848859072 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848886967 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848908901 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848975897 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.848985910 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849041939 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849050999 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849069118 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849077940 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849176884 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849184990 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849195004 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849204063 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849220991 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849230051 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849240065 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849298000 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849349022 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849359989 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849416971 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849426985 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849446058 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849455118 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849490881 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849582911 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849591970 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849608898 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849618912 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849627972 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849644899 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849653006 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849713087 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849721909 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849767923 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849777937 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849833965 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849843979 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849895000 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849904060 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849925041 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849946976 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849965096 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.849973917 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850024939 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850034952 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850080013 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850090981 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850107908 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850136042 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850198030 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850209951 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850231886 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850241899 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850303888 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850313902 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850361109 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850389957 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850409031 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850434065 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850469112 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850478888 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850528955 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850538969 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850549936 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850563049 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850620985 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850630045 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850760937 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850770950 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850790024 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850799084 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850806952 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850816011 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850867987 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850889921 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850924015 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850933075 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850944042 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.850960970 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851048946 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851098061 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851118088 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851126909 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851176023 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851183891 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851246119 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851255894 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851274014 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851283073 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851370096 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851378918 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851394892 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851403952 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851469040 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851478100 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851490021 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851500034 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851589918 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851602077 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851620913 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851629019 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851687908 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851699114 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851706982 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851716042 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851725101 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851746082 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851757050 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851766109 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851874113 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851883888 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851891994 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851900101 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851917028 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851927042 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851965904 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.851974964 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852027893 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852036953 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852058887 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852077961 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852139950 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852159977 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852170944 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852232933 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852277994 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852287054 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852324009 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852334023 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852377892 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852386951 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852446079 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852454901 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852494955 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852505922 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852540970 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852550030 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852596045 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852605104 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852652073 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852662086 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852705002 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852714062 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852751970 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852761984 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852814913 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852823973 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852849007 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852859020 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852895975 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852905035 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852963924 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.852972031 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853005886 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853014946 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853046894 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853056908 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853171110 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853180885 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853189945 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853200912 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853216887 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853225946 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853277922 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853286982 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853337049 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853347063 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853367090 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853399992 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853442907 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853452921 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853499889 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853508949 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853548050 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853593111 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853602886 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853724957 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853734016 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853743076 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853748083 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853755951 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853765965 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853827953 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853837967 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853844881 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853853941 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853873968 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853883028 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853890896 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853960991 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853970051 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853977919 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853986979 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.853996038 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854003906 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854012012 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854090929 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854099989 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854109049 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854118109 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854126930 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854135036 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854202032 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854212046 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854219913 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854228973 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854238033 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854280949 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854290009 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854298115 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854307890 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854315996 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854325056 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854403019 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854413033 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854420900 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854429960 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854439020 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854448080 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854456902 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854475975 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854587078 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854597092 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854604959 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854613066 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854621887 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854630947 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854639053 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854648113 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854705095 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854715109 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854723930 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854732990 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854741096 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854749918 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854808092 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854818106 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.854825974 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:54.902169943 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:55.176039934 CEST	2227	49702	185.244.212.106	192.168.2.7
Jul 30, 2024 07:24:55.176151991 CEST	49702	2227	192.168.2.7	185.244.212.106

Target ID:	0
Start time:	01:24:44
Start date:	30/07/2024
Path:	C:\Users\user\Desktop\F7fahhucBo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F7fahhucBo.exe"
Imagebase:	0x830000
File size:	92'160 bytes
MD5 hash:	AC83EE8E909F55B86251B145CFA42C66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.1265265580.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:24:44
Start date:	30/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:	0xad0000
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.1%
Total number of Nodes:	41
Total number of Limit Nodes:	2

Executed Functions

Function 029219C0 Relevance: 1.7, Strings: 1, Instructions: 493
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<-q, xrefs: 02921D9E

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID:
String ID: <-q
API String ID: 0-3445421276
Opcode ID: 20da0d8a0a552c8b15ac2745a0411ead1671992031dd726dcaee847cc63a6316
Instruction ID: b06e1ccd0a7886935f832179073008127b7c54c89a6a98f139f1fc5410f56f6c
Opcode Fuzzy Hash: 20da0d8a0a552c8b15ac2745a0411ead1671992031dd726dcaee847cc63a6316
Instruction Fuzzy Hash: DE025030B006159FDB18DB69D854B6DBBB6FFC8210F24C168D81AAB399DF319C46CB94

Function 0292163C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0292187E

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 74f04f224feb1adb4ea93e7864faf82f628246e92f1af82b0696bd91d492f97d
Instruction ID: 2c3c767f56543c862818d3b083c6c4e1d0d26f8baa394cb0fc8245386e075ac4
Opcode Fuzzy Hash: 74f04f224feb1adb4ea93e7864faf82f628246e92f1af82b0696bd91d492f97d
Instruction Fuzzy Hash: C7A17A71D003698FEF24CF68C840BEDBBB6BF48314F1481A9E848A7245DB749999CF91

Function 02921648 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0292187E

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e45666b620e40fb230458e5cba1c90bfb260d5dbda0b767185fe0eea967ff020
Instruction ID: 3713555eea28be1257b61cc8b147be18b05b3b9b52fd32581ef7397b4dce9e6e
Opcode Fuzzy Hash: e45666b620e40fb230458e5cba1c90bfb260d5dbda0b767185fe0eea967ff020
Instruction Fuzzy Hash: AE915A71D003298FEF24DF69C841BEDBBB6BB48314F148169E808A7245DB749999CF91

Function 02921221 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 029212A6

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 76bb73343826684c623092907940f39b32e03da56c148857d4715e2e493a1db7
Instruction ID: 2276998f25aa0660cfe4ca4eeb2cfbddd4416be786f855472176d4b10b9869f5
Opcode Fuzzy Hash: 76bb73343826684c623092907940f39b32e03da56c148857d4715e2e493a1db7
Instruction Fuzzy Hash: D8217C75D003488FDB10DFAAC4817EEBFF5AF49224F14842EE458A7241D7799945CFA0

Function 029213B9 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02921450

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a5597c1f8855207a4ad0decddc151771cc0f0abe358cec48c3dafa68f77e9c13
Instruction ID: d2713349102e9f82683014811880d09f4c94593c79d7389436dda687bff86a03
Opcode Fuzzy Hash: a5597c1f8855207a4ad0decddc151771cc0f0abe358cec48c3dafa68f77e9c13
Instruction Fuzzy Hash: 3E213371D003599FDB10CFAAC881BEEBBF5FF48310F50842AE958A7241C7799955CBA0

Function 029213C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02921450

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1eed7bfbcba703ffe3c24c52f7688e83a0876a20f95b9a1a7549be1ac1aee0ba
Instruction ID: 34fe9af0c6ffc7222c6ec2892a212b6207b30e126077541690e84db315961ef8
Opcode Fuzzy Hash: 1eed7bfbcba703ffe3c24c52f7688e83a0876a20f95b9a1a7549be1ac1aee0ba
Instruction Fuzzy Hash: 90212375D003599FDB20DFAAC881BEEBBF5FF48310F50842AE918A7241C7789954CBA4

Function 02921170 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 029211DA

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 14cd8ea62f2e2b984ff816fb609095ca0ec319fbd6bd2b8035a93b730e9a0f23
Instruction ID: aeff377d0f6885bb402a4cec47c47f21969600f9403952f392dd55f31d735040
Opcode Fuzzy Hash: 14cd8ea62f2e2b984ff816fb609095ca0ec319fbd6bd2b8035a93b730e9a0f23
Instruction Fuzzy Hash: 7F21A975D003598FCB20DFAAD445BEEFBF4EB88224F20885AD829A7601CB356805CF94

Function 029214AE Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02921530

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3ae77e0f865dfad75e21ced13be52d70d0e3b7bfeb1f0426301d2f8b184b2e6a
Instruction ID: 1f7b853008ca40b6ccee50f7fd58facdd605c256b0cc56bd4f04bac230b14d1f
Opcode Fuzzy Hash: 3ae77e0f865dfad75e21ced13be52d70d0e3b7bfeb1f0426301d2f8b184b2e6a
Instruction Fuzzy Hash: E0211471D003599FDB10DFAAC881BEEBBF5FF48320F50842AE959A7251C7399905CBA4

Function 029214B0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02921530

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c3aca147e415276864efff60f05187c07aae97bcd933740c8f00b87c9a59cabb
Instruction ID: e310f17bac3e425ceab15babea69b1ab448e70c743b0b635861c4862213b47e1
Opcode Fuzzy Hash: c3aca147e415276864efff60f05187c07aae97bcd933740c8f00b87c9a59cabb
Instruction Fuzzy Hash: E7212571D003599FDB10DFAAC881BEEBBF5FF48310F50842AE919A7240C7399905CBA4

Function 02921228 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 029212A6

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d6f167a65bc8feb8e8dabd5f9168260dcfde6fb94c558e095cc302727f402254
Instruction ID: ffb21324cf94c361e26174ea59eaef081aa6f51870edf46421b0cafc6b784586
Opcode Fuzzy Hash: d6f167a65bc8feb8e8dabd5f9168260dcfde6fb94c558e095cc302727f402254
Instruction Fuzzy Hash: F5213871D003098FDB10DFAAC485BAEBBF4EF48314F54842EE819A7241CB789945CFA4

Function 029212F9 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0292136E

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5bb8d5796f55bb773e86552aabf61065fe00e1a7134e11b1896f52fa712a2b3e
Instruction ID: 6b3c9d0575b3fafde1d06f3bcc404aa38a59cdeb0a5e379821bb459ad7b8ae1e
Opcode Fuzzy Hash: 5bb8d5796f55bb773e86552aabf61065fe00e1a7134e11b1896f52fa712a2b3e
Instruction Fuzzy Hash: 7D1164718003498FCB20DFAAC845BDEBFF5AF48320F14841AE919A7251CB76A900CBA0

Function 02921300 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0292136E

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4a55a8700c27d819c4ad4750580a22dffd9166f8fc8078e9db36a04a56860b03
Instruction ID: a8c7b64c822b154a444039d352951b2348f966b4ea034e65a808069bac732e29
Opcode Fuzzy Hash: 4a55a8700c27d819c4ad4750580a22dffd9166f8fc8078e9db36a04a56860b03
Instruction Fuzzy Hash: 76115371D003098FDF20DFAAC845BDEBBF5EB48320F10841AE919A7250CB39A900CFA0

Function 02921178 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 029211DA

Memory Dump Source

Source File: 00000000.00000002.1265183377.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_F7fahhucBo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 526d95c01ac8eb233d2f2e5a3b1e860bf7076bb4685105d286cb77522129b4e1
Instruction ID: 2545e71e3d7c609e26b433e4cf49eeaedde20efc1429ab329c550def309032ea
Opcode Fuzzy Hash: 526d95c01ac8eb233d2f2e5a3b1e860bf7076bb4685105d286cb77522129b4e1
Instruction Fuzzy Hash: 07116671D003098FDB24DFAAC845B9EFBF5EB88320F20841ED419A7240CB39A905CFA4

Function 0111D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265037175.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_F7fahhucBo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03af2819adca0762a8b56e680145f1a67341e33ee732ae28a1371523f64f740b
Instruction ID: 9fbf8e4f92fbf10c25afb9a5c4b315fa990cad8aa0cfb26fa436f4210dca6988
Opcode Fuzzy Hash: 03af2819adca0762a8b56e680145f1a67341e33ee732ae28a1371523f64f740b
Instruction Fuzzy Hash: 4F2103B1544200DFDF19DF94E9C8B56FF65FB88324F20C579E8090BA4AC336E456CAA2

Function 0111D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265037175.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_F7fahhucBo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 010f0509a7b7df8bfb339a304ed0f3ec463b0b23269fad813d3355192f63a689
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 14119D76544280CFCF1ACF54D5C4B56BF72FB84324F24C5A9D8490BA5AC336E456CBA1

Analysis Process: CasPol.exePID: 1104, Parent PID: 564COMMON

Execution Graph

Execution Coverage:	27.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.1%
Total number of Nodes:	382
Total number of Limit Nodes:	8

Executed Functions

Function 00404C2D Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00404C9E
GetSystemMetrics.USER32(0000004D), ref: 00404CA5
GetDC.USER32(00000000), ref: 00404CE0
GetCurrentObject.GDI32(00000000,00000007), ref: 00404CF3
GetObjectW.GDI32(00000000,00000018,?), ref: 00404D0C
DeleteObject.GDI32(00000000), ref: 00404D3E
CreateCompatibleDC.GDI32(00000000), ref: 00404D9F
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00404DC0
SelectObject.GDI32(00000000,00000000), ref: 00404DD2
BitBlt.GDI32(00000000,00000000,00000000,?,004024F5,00000000,?,?,00CC0020), ref: 00404DF7

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

Part of subcall function 00403E03: EnterCriticalSection.KERNEL32(004084D4,?,0000011C), ref: 00403E15

Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1

DeleteObject.GDI32(00000000), ref: 00404E95
DeleteDC.GDI32(00000000), ref: 00404E9C
ReleaseDC.USER32(00000000,00000000), ref: 00404EA5

Strings

6, xrefs: 00404D84
gdi3, xrefs: 00404C49
2, xrefs: 00404C55
- ScreenSize: {lWidth=%d, lHeight=%d}, xrefs: 00404D28
(, xrefs: 00404D78
U, xrefs: 00404C5E
er32, xrefs: 00404C65

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
API String ID: 1387450592-1028866296
Opcode ID: 54111a4b7bc319f5745368608b5675afeea82435c2ec2d0b094c19900ce30ce6
Instruction ID: 6b3ee7ab4da137d1a309b5a9f787d899f0e5564c39ac921fb92ff6ff8e554c30
Opcode Fuzzy Hash: 54111a4b7bc319f5745368608b5675afeea82435c2ec2d0b094c19900ce30ce6
Instruction Fuzzy Hash: 4B718075D00208ABDB20DFA5DD45BEEBB79AF44700F10446AE605B72D1DB785A04CBA9

Function 00401000 Relevance: 21.7, APIs: 4, Strings: 8, Instructions: 700
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,?), ref: 004013D1

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00FAAB60,00401035,00FAAB60,?), ref: 00404109

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

FindFirstFileW.KERNELBASE(00000000,?,00FAAB60,?), ref: 00401161

Part of subcall function 00403F87: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403FE8
Part of subcall function 00403F87: FindNextFileW.KERNEL32(0040179D,?), ref: 00404089

EnterCriticalSection.KERNEL32(004084D4), ref: 004016F5
LeaveCriticalSection.KERNEL32(004084D4), ref: 0040170E

Strings

$Lr, xrefs: 00401281
%s\%s, xrefs: 004011A2
Discord/, xrefs: 004013AF
%s\*, xrefs: 0040112A
Telegram, xrefs: 004016FB
%s%s, xrefs: 0040150B, 00401854, 004019EA, 00401A4F
7a?=, xrefs: 00401730
7a?=, xrefs: 00401364

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$7a?=$Discord/$Telegram
API String ID: 1893179121-60960798
Opcode ID: cc32662204eef177c1bb24944cceb37b970cd3f52aad9942ed642ea1a6b4ea2d
Instruction ID: e0fe4e299a14adff3431ec18ef39797f5155a140b4338a3cd7c1f3b0b96d06eb
Opcode Fuzzy Hash: cc32662204eef177c1bb24944cceb37b970cd3f52aad9942ed642ea1a6b4ea2d
Instruction Fuzzy Hash: A0323A71E102146ADB249BA58C91BFE73B89F80304F14417FE845B72E1EB7C8E858B9D

Function 004020E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

GetCurrentHwProfileA.ADVAPI32(?), ref: 00402198
GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 004021BF
GlobalMemoryStatusEx.KERNELBASE(?), ref: 004021F3
EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 00402275

Strings

@, xrefs: 004021EA
- VideoAdapter #%d: %s, xrefs: 00402241
- CPU: %s (%d cores), xrefs: 004021D1
- RAM: %d GB, xrefs: 0040220A
- HWID: %s, xrefs: 004021AC

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
API String ID: 330852582-565344305
Opcode ID: 1289e8cf0d5fbe5f3f0ef4059f282c48e11b380c65581eb552a4a88b93ed5c2e
Instruction ID: 22e8c097fdb53a750db3d38699cd98a3431052edcfded2005e7f0d2a9ec9707d
Opcode Fuzzy Hash: 1289e8cf0d5fbe5f3f0ef4059f282c48e11b380c65581eb552a4a88b93ed5c2e
Instruction Fuzzy Hash: 6141A6719083019BD720DF24CD85FABBBE8EB84714F10493EF945AB2C1E774994587AA

Function 00404EB2 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,004084D4,?), ref: 00404F58
EnterCriticalSection.KERNEL32(004084D4), ref: 00405014

Part of subcall function 00404EB2: LeaveCriticalSection.KERNEL32(004084D4), ref: 00405031

FindNextFileW.KERNELBASE(?,?), ref: 00405200

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00FAAB60,00401035,00FAAB60,?), ref: 00404109

Strings

%s\%s, xrefs: 00404F72
%s\*, xrefs: 00404F42
Telegram, xrefs: 0040501A

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
String ID: %s\%s$%s\*$Telegram
API String ID: 648860119-4994844
Opcode ID: d84d8187fe1ade631e357449a07b88c685cf14ca7df123eb18c2c8c5d20aa8b4
Instruction ID: ecd5ca78d3e23e3f5ec3a68d4d3fe809ace172ce08446f2cd26366b6c0f1c70a
Opcode Fuzzy Hash: d84d8187fe1ade631e357449a07b88c685cf14ca7df123eb18c2c8c5d20aa8b4
Instruction Fuzzy Hash: D9A18021E14308A9EF10DBA0AD06BBE7775EF44710F20546FE904BB2E1EBB50E85875E

Function 00401DC9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?), ref: 00401E10

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

FindNextFileW.KERNELBASE(00000000,?), ref: 00401F94

Strings

%s\%s, xrefs: 00401E9B
%s\*, xrefs: 00401DF7
%s%s, xrefs: 00401F4E

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 3555643018-2064654797
Opcode ID: 5cebb7284f378f55fcd4df65f13594aa010d6026b77e4466925d64efd1a65d52
Instruction ID: 14e95c991f87aca2b944788a29030c3de2d12e3058c1dcaec3f91741412fe5a3
Opcode Fuzzy Hash: 5cebb7284f378f55fcd4df65f13594aa010d6026b77e4466925d64efd1a65d52
Instruction Fuzzy Hash: C641B0706182025BC714EF24D955A2F77E8AF84704F10493FF885A72F2EB39EA44879E

Function 00401D21 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401D80
CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 00401DB6

Strings

Poverty is the parent of crime., xrefs: 00401D9F
CRYPT32.dll, xrefs: 00401D4F

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
String ID: CRYPT32.dll$Poverty is the parent of crime.
API String ID: 3642467563-1885057629
Opcode ID: 0bfa8139f65bd25693e68981f44dce0d28659087e85b2fcfac568366f43bb735
Instruction ID: c7f84ecd61725d2c0d2cc539ea739b2fab333b7ee9f2c38f0174a54d3eab5c97
Opcode Fuzzy Hash: 0bfa8139f65bd25693e68981f44dce0d28659087e85b2fcfac568366f43bb735
Instruction Fuzzy Hash: 9911F7B5D0020DABDB10DF95C8819EFBBBCEF48314F10456AE945B3280E774AE09CAA4

Function 004035C3 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
RtlFreeHeap.NTDLL(00000000), ref: 004035D1

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a5c4a5c9563baa38c9ba5d526c864f3f6d83196204a18c55b87fe91dca070a4b
Instruction ID: 873122bf131184cd6aa06baef865d0714c6afb91f4c12db888e56dda872d8f6a
Opcode Fuzzy Hash: a5c4a5c9563baa38c9ba5d526c864f3f6d83196204a18c55b87fe91dca070a4b
Instruction Fuzzy Hash: B6B092B0A491006AEE182BA09E0DB3B3A18AB04303F0002A8B302B14A0CA786500862A

Function 00402282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(004084D4,00000DA3), ref: 00402297
CreateMutexA.KERNELBASE(00000000,00000000,0060cbb5-1dbd-468c-b2ba-03be756aa1c1), ref: 004022AF
GetLastError.KERNEL32 ref: 004022C2

Strings

shell32, xrefs: 004023E5
cb_phoenix.v1.0, xrefs: 004025F3
$d.log, xrefs: 00402678
- OperationSystem: %d:%d:%d, xrefs: 0040232A
0060cbb5-1dbd-468c-b2ba-03be756aa1c1, xrefs: 004022A6, 00402612
- UserAgent: %s, xrefs: 004025B3
$, xrefs: 004025FD
@, xrefs: 004025DE
kernel32, xrefs: 00402439

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$0060cbb5-1dbd-468c-b2ba-03be756aa1c1$@$cb_phoenix.v1.0$kernel32$shell32
API String ID: 2005177960-3252262841
Opcode ID: 7d85174eba821bd26a3f3c474d69b94223cfdb22e9e683f010e87f1aa16b2777
Instruction ID: db5b455704c763b654c06a6b3c78ab43ebdd973590fbbde67410529c29875780
Opcode Fuzzy Hash: 7d85174eba821bd26a3f3c474d69b94223cfdb22e9e683f010e87f1aa16b2777
Instruction Fuzzy Hash: 36C11630904245AEEB10EFA0DE4ABAE7F75AF14705F00447EE141BA2E2DFB91A44CB5D

Function 004044F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00FAAB60,00401035,00FAAB60,?), ref: 00404109

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

EnterCriticalSection.KERNEL32(004084D4), ref: 00404580
LeaveCriticalSection.KERNEL32(004084D4), ref: 004045CC
EnterCriticalSection.KERNEL32(004084D4), ref: 0040464F
LeaveCriticalSection.KERNEL32(004084D4), ref: 00404688
EnterCriticalSection.KERNEL32(004084D4), ref: 004046C5
LeaveCriticalSection.KERNEL32(004084D4), ref: 00404708
EnterCriticalSection.KERNEL32(004084D4), ref: 00404721
LeaveCriticalSection.KERNEL32(004084D4), ref: 0040474A

Part of subcall function 00404377: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,004045FF), ref: 00404390
Part of subcall function 00404377: GetProcAddress.KERNEL32(00000000), ref: 00404399
Part of subcall function 00404377: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,004045FF), ref: 004043AA
Part of subcall function 00404377: GetProcAddress.KERNEL32(00000000), ref: 004043AD
Part of subcall function 00404377: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,004045FF), ref: 0040442F
Part of subcall function 00404377: GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000002,?,?,?,?,004045FF), ref: 0040444B
Part of subcall function 00404377: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 0040445A
Part of subcall function 00404377: CloseHandle.KERNEL32(004045FF,?,?,?,?,004045FF), ref: 0040448A

Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1

Strings

\??\%s, xrefs: 0040452F
\Network\Cookies, xrefs: 004045EC
@, xrefs: 00404566

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
String ID: @$\??\%s$\Network\Cookies
API String ID: 330363434-2791195959
Opcode ID: 3aceadb322b04b0cd88ffec1cbc000090e3a08d248677b6e52905a850177b162
Instruction ID: 30b89a0c7dd792c6c55c89bb752360b8731b4be3a9f183659006c232308b4c97
Opcode Fuzzy Hash: 3aceadb322b04b0cd88ffec1cbc000090e3a08d248677b6e52905a850177b162
Instruction Fuzzy Hash: 0C719F70940209BFDB04DF90CD4ABAD7BB5FB44305F10803AFA41BA2E1EBB95A45CB59

Function 004053F8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 139
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

socket.WS2_32(?,00000001,00000000), ref: 0040550F
connect.WS2_32(000000FF,?,00000010), ref: 0040554E
send.WS2_32(000000FF,00000000,00000000), ref: 00405570
send.WS2_32(000000FF,000000FF,106,00000000), ref: 0040558C
closesocket.WS2_32(000000FF), ref: 004055BC

Strings

106, xrefs: 0040557B, 0040557F
185.244.212.106, xrefs: 00405523
ws2_32.dll, xrefs: 00405473

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: send$HandleLibraryLoadModuleclosesocketconnectsocket
String ID: 106$185.244.212.106$ws2_32.dll
API String ID: 2279181061-2093737415
Opcode ID: 1717f7b469886dd0248fd88ee7bed06fc9c62e98bc7b207c854f528114d91968
Instruction ID: 1ba8255f1e8dd8081fefad2875cd7e7399d758cce23e8b083b3bca88080a13bc
Opcode Fuzzy Hash: 1717f7b469886dd0248fd88ee7bed06fc9c62e98bc7b207c854f528114d91968
Instruction Fuzzy Hash: C851C530C44288EDEF018BE4D8097EEBFB99F15314F14459AE660BE2D1C7B9474ACB65

Function 004048D6 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 231
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,00402351), ref: 004048F7

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

GetCurrentProcess.KERNEL32(Q#@), ref: 0040496B
IsWow64Process.KERNEL32(00000000), ref: 00404972

Strings

ntdllQ#@, xrefs: 00404985
Q#@, xrefs: 00404964, 0040497A, 0040496A
ntdl, xrefs: 00404914
l, xrefs: 00404917

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
String ID: Q#@$l$ntdl$ntdllQ#@
API String ID: 1207166019-1218684799
Opcode ID: bcc7277f0982174f50dd03a4f8c9cdb8aac042102541d2e3cf7aa096f817556f
Instruction ID: 3ee230e69bd7094b3339c115938649c60d03c5872765df0b6732839f5e82a11c
Opcode Fuzzy Hash: bcc7277f0982174f50dd03a4f8c9cdb8aac042102541d2e3cf7aa096f817556f
Instruction Fuzzy Hash: C881E5B061820196EB649B50EF5577A33A8FB91710F20053FE345BB3E1EBB88D80874E

Function 00401FBA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0040201D
GetKeyboardLayoutList.USER32(00000032,?), ref: 0040207F

Strings

{%d} , xrefs: 004020B2
- SystemLayout %d, xrefs: 00402059
), xrefs: 004020CF
- KeyboardLayouts: ( , xrefs: 00402068

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: DefaultKeyboardLanguageLayoutListUser
String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
API String ID: 167087913-619012376
Opcode ID: 098336f7847c56de198dceea2ad9df411a430e70487c194ec4b5a45776de32d6
Instruction ID: 10b5000f3d20341b48b4ae383d5168f65d0d8f996377bdde78befb18ad8f4928
Opcode Fuzzy Hash: 098336f7847c56de198dceea2ad9df411a430e70487c194ec4b5a45776de32d6
Instruction Fuzzy Hash: 0931BE60D08298A9DB009FE494067BDBB70EF14306F1054ABF648F72C2D27E4B49D76E

Function 00403595 Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID:
API String ID: 1367039788-0
Opcode ID: d8cb59fa451f531bb7d9703be9d6d3f1f0789b70689b423d9663a2cdfd0a23a5
Instruction ID: 3223c967265719e8531dc247f72f9ba3551b462deb81e419d276c47ad9b9309f
Opcode Fuzzy Hash: d8cb59fa451f531bb7d9703be9d6d3f1f0789b70689b423d9663a2cdfd0a23a5
Instruction Fuzzy Hash: 81D0A733E0812067CB5027F9BE0C99BBF6CEF86661705027AF645E3160CAB85C0587AA

Function 0040475F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

Strings

ntdl, xrefs: 0040476C, 0040477D

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: ntdl
API String ID: 4133054770-3973061744
Opcode ID: 153b30b252ebdc061fc8619bae493407424138c2e36891cb89667ed67eb505d5
Instruction ID: 11ff4d8a77b90bf3d421a1100ca7fc1e5220f65cc3b3dee9f6ee43e9c25cea99
Opcode Fuzzy Hash: 153b30b252ebdc061fc8619bae493407424138c2e36891cb89667ed67eb505d5
Instruction Fuzzy Hash: B131127AE00215DBCB54EFA9C480ABEB7B0FF89704F04466AC551B3381C738A951CBA4

Function 00404108 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00FAAB60,00401035,00FAAB60,?), ref: 00404109

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d097877ed9740e91f650fee32fe24c2afa502c42455f07a4a2dfcf8c61e2aed8
Instruction ID: c139d24a98a97a360684cfbb393a546f3f92256ca7c1166e296c0db0bb017a51
Opcode Fuzzy Hash: d097877ed9740e91f650fee32fe24c2afa502c42455f07a4a2dfcf8c61e2aed8
Instruction Fuzzy Hash: 1DA022380302008BCA2C03300FAA00E30000E0A2F03220BACB033F80E0EA38C2800002

Non-executed Functions

Function 00403F87 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00FAAB60,00401035,00FAAB60,?), ref: 00404109

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403FE8
FindNextFileW.KERNEL32(0040179D,?), ref: 00404089

Strings

%s\%s, xrefs: 00404022
%s\*, xrefs: 00403FD2
%s%s, xrefs: 004040D2

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 674214967-2064654797
Opcode ID: 851fe2d0db6313b3b97ce49e1a9b884d2538fd0dfee7c13a5dcc67b2ec672ff6
Instruction ID: 3b86eeb09e9c0eadff58ad7c69213eb5ca1285151f1c464e5ebf84cdc8497cf1
Opcode Fuzzy Hash: 851fe2d0db6313b3b97ce49e1a9b884d2538fd0dfee7c13a5dcc67b2ec672ff6
Instruction Fuzzy Hash: 2831F3B1E0021967DB21AF618C45ABE7BA99F80304F0441BEFE05B73D1EB3D8F458699

Function 00404145 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00404198
FindNextFileW.KERNEL32(000000FF,?), ref: 004041E4

Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1

Strings

%s\%s, xrefs: 004041F8
%s\*, xrefs: 00404182

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: FileFindHeap$FirstFreeNextProcess
String ID: %s\%s$%s\*
API String ID: 1689202581-2848263008
Opcode ID: 03ec7cdd6b1c53106126d1c61fe10d4903e8003fb5869c5929cfc5ffc06257b0
Instruction ID: 0ae009433c7d8e74f2399d383574e25c26017cf842a18982b61cce91de727895
Opcode Fuzzy Hash: 03ec7cdd6b1c53106126d1c61fe10d4903e8003fb5869c5929cfc5ffc06257b0
Instruction Fuzzy Hash: C931A8B0B00214ABCB20AF65CC8566E7BADEF85745F1044BEB905A73C1DB7C9E418B99

Function 00404377 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,004045FF), ref: 00404390
GetProcAddress.KERNEL32(00000000), ref: 00404399
GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,004045FF), ref: 004043AA
GetProcAddress.KERNEL32(00000000), ref: 004043AD

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,004045FF), ref: 0040442F
GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000002,?,?,?,?,004045FF), ref: 0040444B
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 0040445A
CloseHandle.KERNEL32(004045FF,?,?,?,?,004045FF), ref: 0040448A
GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000001,?,?,?,?,004045FF), ref: 00404498
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 004044A7
CloseHandle.KERNEL32(?,?,?,?,?,004045FF), ref: 004044BA
CloseHandle.KERNEL32(000000FF), ref: 004044DD
CloseHandle.KERNEL32(?), ref: 004044E5

Strings

NtQuerySystemInformation, xrefs: 00404386
NtQueryObject, xrefs: 0040439B
ntdll, xrefs: 0040438B, 004043A2

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
String ID: NtQueryObject$NtQuerySystemInformation$ntdll
API String ID: 3110323036-2044536123
Opcode ID: b5df68a6bf919bf50a48ac763dfae3735d449fe75d6ecaf60c1b57aeb643f3aa
Instruction ID: 6b6220df04feaa08bf7b4da56c654ad1a859742ad58229fcdab27ba0eb323707
Opcode Fuzzy Hash: b5df68a6bf919bf50a48ac763dfae3735d449fe75d6ecaf60c1b57aeb643f3aa
Instruction Fuzzy Hash: 884172B1E00119ABDB109BE68D44AAFBBB9EF84314F144176F604F22D0DB78DE41CBA5

Function 00402A1E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00402B09

Strings

0123456789ABCDEF, xrefs: 00402A85
(null), xrefs: 00402C14
0123456789abcdef, xrefs: 00402A7E
(null), xrefs: 00402B9A

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-1267642376
Opcode ID: 74a9ea239097ada3d1414e157643d0f430ec2b0ca7e571adabed524bf4d5b292
Instruction ID: bcdd270a88cad76f636a2a04ffa2895c1f0e3bc7806eb067e009ec13a134c41f
Opcode Fuzzy Hash: 74a9ea239097ada3d1414e157643d0f430ec2b0ca7e571adabed524bf4d5b292
Instruction Fuzzy Hash: 5691A0706087028FDB25CF24C58862BB7E5EF85344F24897FE49AA77D1D7B4A881CB49

Function 00403111 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

x, xrefs: 00403451

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: cc77272222d09f9b3e8e7dc35d4396ed1e50a5a1df7a949ef9c02a18000c61cf
Instruction ID: cdbb1d4b41a264391f31279463ee9e8db51f7a06bf36a1bae859705254ac4300
Opcode Fuzzy Hash: cc77272222d09f9b3e8e7dc35d4396ed1e50a5a1df7a949ef9c02a18000c61cf
Instruction Fuzzy Hash: 1302A174D00219EFCB45CF98C985AAEBBF4FB09305F10846AE826EB390D734AA41CF55

Function 00402C95 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00402ECA

Strings

6#@, xrefs: 00402F4A

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
String ID: 6#@
API String ID: 1990697408-399668929
Opcode ID: 1f26a5c5fc2634c2030f9b83c1c8166a34ad48809439acca6c6bd24674cc38fe
Instruction ID: 04ec494e2720618fda0ea9b48e18905337fba48f3a471985427a56106dfb7a8a
Opcode Fuzzy Hash: 1f26a5c5fc2634c2030f9b83c1c8166a34ad48809439acca6c6bd24674cc38fe
Instruction Fuzzy Hash: 9202AF70A04249EFCB41CF98C985AAEBBF4BF09305F148466E855FB390D778AA41CF55

Function 00403DA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,00403E4E,00000000,?,0000011C), ref: 00403DC1

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,00403E4E,00000000,?,0000011C), ref: 00403DF7

Strings

$d.log, xrefs: 00403DB8, 00403DF0

Memory Dump Source

Source File: 00000002.00000002.1351063504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CasPol.jbxd

Yara matches

Similarity

API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
String ID: $d.log
API String ID: 635875880-1910398676
Opcode ID: 596067efd1d70e71452a917ac77f7634f6861e6932447c6e6420039467924f9e
Instruction ID: ac6dd0e6687c57a2322cdc8011629eff706fdab16a0174ef90b3a49cae1c3f8c
Opcode Fuzzy Hash: 596067efd1d70e71452a917ac77f7634f6861e6932447c6e6420039467924f9e
Instruction Fuzzy Hash: 46F0BEB16001207FA3246A6ACC09C777EAEDBC2B71304433ABC18EB3D0D9309C0082B0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F7fahhucBo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Poverty Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F7fahhucBo.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
F7fahhucBo.exe

Function 029219C0 Relevance: 1.7, Strings: 1, Instructions: 493
COMMON

Function 0292163C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Function 02921648 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02921221 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Function 029213B9 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 029213C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 02921170 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 029214AE Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 029214B0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 02921228 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 029212F9 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Function 02921300 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 02921178 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 00404C2D Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Function 00401000 Relevance: 21.7, APIs: 4, Strings: 8, Instructions: 700
fileCOMMON

Function 004020E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Function 00404EB2 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Function 00401DC9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Function 00401D21 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Function 004035C3 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Function 00402282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Function 004044F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Function 004053F8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 139
networkCOMMON