Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562759
MD5:	472277a6072a8cfa733117ff1597c8da
SHA1:	83e570c6eca17446ac0b8418f11fa25b9c5c10a7
SHA256:	709d4a2c6b1307768277cbcafa383579d5ef81eeb0845532a1f1b01168e6ea10
Tags:	exeuser-Bitsight
Infos:

Detection

Poverty Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Poverty Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Contains functionality to query CPU information (cpuid)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

file.exe (PID: 3236 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 472277A6072A8CFA733117FF1597C8DA)

cleanup

Malware Configuration

Threatname: Poverty Stealer

{"C2 url": "85.244.212.106:2227"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000000.1664708303.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: file.exe PID: 3236	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.bf0000.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.0.file.exe.bf0000.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security

Suricata Signatures

ET MALWARE LUMAR Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T00:19:12.139413+0100	2048736	1	A Network Trojan was detected	192.168.2.4	49730	185.244.212.106	2227	TCP

Code function: 0_2_00BF4C2D GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,

0_2_00BF4C2D

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Mutant created: \Sessions\1\BaseNamedObjects\085f229d-d27d-4fc1-9dc1-8958125ccbd9

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntkrnlmp.pdbo source: file.exe, 00000000.00000002.1804928662.000000000A7AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbkD source: file.exe, 00000000.00000002.1886039128.000000000D557000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbr source: file.exe, 00000000.00000002.1840251068.000000000BE1A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1827638294.000000000B625000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791505154.0000000009C0A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1804928662.000000000A7B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1920109162.000000000E4CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935143545.000000000EC7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbt source: file.exe, 00000000.00000002.1935143545.000000000EC81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbz source: file.exe, 00000000.00000002.1900265086.000000000DD3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbt source: file.exe, 00000000.00000002.1796538723.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbA source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbu source: file.exe, 00000000.00000002.1935143545.000000000EC81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb~Z source: file.exe, 00000000.00000002.1828149453.000000000B64F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbp source: file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbL source: file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbm source: file.exe, 00000000.00000002.1804928662.000000000A7AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbcT(/+ source: file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx, source: file.exe, 00000000.00000002.1796538723.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1827638294.000000000B625000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1791505154.0000000009C0A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1804928662.000000000A7B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1920109162.000000000E4CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1792549362.0000000009D8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1886039128.000000000D552000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935143545.000000000EC7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb}P source: file.exe, 00000000.00000002.1828149453.000000000B64F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb[ source: file.exe, 00000000.00000002.1792549362.0000000009D8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: file.exe, 00000000.00000002.1789802750.000000000140E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbZ source: file.exe, 00000000.00000002.1920109162.000000000E494000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb[ source: file.exe, 00000000.00000002.1920109162.000000000E494000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb~t&+) source: file.exe, 00000000.00000002.1900265086.000000000DD41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb] source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbX source: file.exe, 00000000.00000002.1815783208.000000000AEB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbI source: file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbJ source: file.exe, 00000000.00000002.1853909703.000000000C58A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbM source: file.exe, 00000000.00000002.1840251068.000000000BE11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1870641401.000000000CD9A000.00000004.00000020.00020000.00000000.sdmp

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-2301

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	0_2_00BF4EB2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1DC9 FindFirstFileW,FindNextFileW,	0_2_00BF1DC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	0_2_00BF1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3F87 FindFirstFileW,FindNextFileW,	0_2_00BF3F87
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4145 FindFirstFileW,FindNextFileW,	0_2_00BF4145

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF20E1 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

0_2_00BF20E1

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior

Source: file.exe, 00000000.00000002.1790615976.0000000009A04000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF3595 EnterCriticalSection,GetProcessHeap,RtlAllocateHeap,LeaveCriticalSection,

0_2_00BF3595

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF20E1 cpuid

0_2_00BF20E1

Stealing of Sensitive Information

Yara detected Poverty Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.2.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1664708303.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3236, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected Poverty Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.2.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1664708303.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3236, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	68%	ReversingLabs	Win32.Trojan.PovertyStealer
file.exe	100%	Avira	TR/Crypt.XPACK.Gen3
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
85.244.212.106:2227	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
85.244.212.106:2227	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.212.106	unknown	Romania		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562759
Start date and time:	2024-11-26 00:18:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.244.212.106	j95Whg3AY1.exe	Get hash	malicious	Poverty Stealer	Browse
	F7fahhucBo.exe	Get hash	malicious	Poverty Stealer	Browse
	IxE6TjWjRM.exe	Get hash	malicious	Poverty Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	file.exe	Get hash	malicious	NetSupport RAT	Browse	45.61.128.74
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	93.120.123.217
	file.exe	Get hash	malicious	NetSupport RAT	Browse	45.61.128.74
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	104.224.90.41
	comprobante.exe	Get hash	malicious	Remcos	Browse	176.10.80.43
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	95.174.64.138
	fACYdCvub8.exe	Get hash	malicious	Unknown	Browse	95.174.66.19
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	193.29.107.181
	fACYdCvub8.exe	Get hash	malicious	Unknown	Browse	217.138.199.203
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.230.38.194

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.483146203914055
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	30'208 bytes
MD5:	472277a6072a8cfa733117ff1597c8da
SHA1:	83e570c6eca17446ac0b8418f11fa25b9c5c10a7
SHA256:	709d4a2c6b1307768277cbcafa383579d5ef81eeb0845532a1f1b01168e6ea10
SHA512:	de7c9fce7211a5628c3793df5632835f3c5588949549504243cc90182fb754cb09961ef303c6b0e77124ae04a231e7a7207c8eb966f868144c249104215467fe
SSDEEP:	384:piY/4mcwYPSNOjKjg11+rVlOxxtNP97kJkgQ8pwIIumVbgORBprjlJZpTJ3uPbH0:piWWjjKjrOFgwItmVsOlr1B+90H
TLSH:	4CD28EA5CDE0D0B3C0630571B39FFB5B5DFF2626022844C767B50C55899AA81EAAB3D3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,}..,}..,}..q~..,}..T...,}..,\|..,}..qt..,}..q...,}.Rich.,}.........PE..L......f.................`...........".......p....@

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x402282
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x668CD4E5 [Tue Jul 9 06:12:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	f63e2b20da57bba52ad3b39011a8e8d2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000364h
push esi
push edi
push 00000DA3h
push 004084D4h
call dword ptr [00407018h]
test eax, eax
jne 00007F8DF908B9E7h
jmp 00007F8DF908BE4Ch
push 00408046h
push 00000000h
push 00000000h
call dword ptr [0040701Ch]
mov dword ptr [ebp-30h], eax
cmp dword ptr [ebp-30h], 00000000h
je 00007F8DF908BE29h
call dword ptr [00407024h]
cmp eax, 000000B7h
je 00007F8DF908BE18h
push 00000065h
pop edx
lea ecx, dword ptr [ebp-28h]
call 00007F8DF908D366h
cmp dword ptr [ebp-24h], 00000000h
je 00007F8DF908BDDAh
push 0000011Ch
xor edx, edx
lea ecx, dword ptr [ebp-00000164h]
call 00007F8DF908CCEEh
pop ecx
mov dword ptr [ebp-00000164h], 0000011Ch
lea ecx, dword ptr [ebp-00000164h]
call 00007F8DF908DF46h
test eax, eax
jl 00007F8DF908BDA2h
push dword ptr [ebp-00000158h]
push dword ptr [ebp-0000015Ch]
push dword ptr [ebp-00000160h]
push 00407474h
push 00000000h
call 00007F8DF908CD17h
add esp, 14h
sub esp, 0000011Ch
push 00000047h
pop ecx
lea esi, dword ptr [ebp-00000164h]
mov edi, esp

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[LNK] VS2015 UPD2 build 23918

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x76b0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9000	0x2fc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x75d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0xb0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ecd	0x6000	39c5351867ca632d1851a77edb7027dc	False	0.6384684244791666	data	6.6047321266474475	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0xaf6	0xc00	adcc9fb56ce6bb8a5b9550b0cd8aa46e	False	0.4612630208333333	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.887509921041914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8000	0x510	0x200	a0f41c1cf1e64899d37db6f87fc77628	False	0.248046875	data	1.8804374389056182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x9000	0x2fc	0x400	a015961f72d73e04f569fe5162e49191	False	0.6982421875	data	5.466540815021208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	WaitForMultipleObjects, GetUserDefaultUILanguage, InitializeCriticalSectionAndSpinCount, CreateMutexA, Sleep, GetLastError, CloseHandle, GetSystemInfo, CreateThread, DeleteCriticalSection, ExitProcess, GlobalMemoryStatusEx, HeapFree, GetModuleFileNameW, HeapReAlloc, IsDBCSLeadByte, HeapAlloc, GetProcessHeap, WideCharToMultiByte, GetCurrentProcess, VirtualAlloc, GetFileAttributesW, DuplicateHandle, GetModuleHandleA, OpenProcess, LoadLibraryA, GetProcAddress, IsWow64Process, LeaveCriticalSection, MultiByteToWideChar, EnterCriticalSection
USER32.dll	ReleaseDC, EnumDisplayDevicesA, GetKeyboardLayoutList, GetSystemMetrics
ADVAPI32.dll	GetCurrentHwProfileA
CRYPT32.dll	CryptProtectData
urlmon.dll	ObtainUserAgentString

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-26T00:19:12.139413+0100	2048736	ET MALWARE LUMAR Stealer Exfiltration M2	1	192.168.2.4	49730	185.244.212.106	2227	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 00:19:11.896604061 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.017662048 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.017772913 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.017863989 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.018100023 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.139240980 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.139319897 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.139350891 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.139360905 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.139413118 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.139424086 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.139434099 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.139450073 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.139477015 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.139498949 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.140398026 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.140417099 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.140439034 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.140456915 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.140460968 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.140503883 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.260549068 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.260617971 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.260842085 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.260886908 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.260896921 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.260930061 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.260941029 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.260979891 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.261007071 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.261035919 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.261066914 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.261094093 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.261991978 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.262048006 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.305028915 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.305138111 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.425549984 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.425636053 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.469141006 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.469202042 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.589068890 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.673094988 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.673156023 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:12.925080061 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:12.925141096 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.090859890 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.091053963 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.091126919 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211215019 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211292982 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211308002 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211354017 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211374044 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211401939 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211409092 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211436033 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211453915 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211483002 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211497068 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211510897 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211534977 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211560965 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211560965 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211589098 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211617947 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211617947 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211642027 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211669922 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211702108 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211730003 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211752892 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211756945 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211781979 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211796999 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211811066 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211855888 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211858034 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211922884 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.211930037 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211956024 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.211982965 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212011099 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212017059 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212068081 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212073088 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212129116 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212163925 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212193012 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212222099 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212260008 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212626934 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212656021 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212685108 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212693930 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212718964 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212730885 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212749004 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212779999 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212798119 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212850094 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.212862015 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212896109 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.212985039 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.213033915 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.213048935 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.213076115 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.213095903 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.213123083 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332428932 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332472086 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332499027 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332534075 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332566977 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332614899 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332664967 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332698107 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332706928 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332746029 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332751036 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332784891 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332798004 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332834959 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332835913 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332870007 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332881927 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332916021 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.332950115 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.332998991 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333019972 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333064079 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333103895 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333132982 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333153963 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333175898 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333190918 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333225012 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333237886 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333272934 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333281040 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333312988 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333322048 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333365917 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333384037 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333411932 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333437920 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333462954 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333465099 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333494902 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333511114 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333543062 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333545923 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333573103 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333602905 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333615065 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333621025 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333647966 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333667040 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333693981 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333697081 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333724022 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333745956 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333755016 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333777905 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333782911 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333802938 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333827972 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333848953 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333875895 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333901882 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333930969 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333931923 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.333959103 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.333981991 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334007025 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334013939 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334034920 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334059000 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334079027 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334080935 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334109068 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334130049 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334141970 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334156036 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334189892 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334196091 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334239960 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334311962 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334338903 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334361076 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334386110 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334429026 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334460974 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334471941 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334508896 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334515095 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334537029 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334558010 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334583998 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334584951 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334611893 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334630966 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334661007 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334680080 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334707022 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334728003 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334750891 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334758043 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334785938 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334805965 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334834099 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334852934 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334862947 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334884882 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334908962 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334913969 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334942102 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334960938 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.334974051 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.334992886 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335000992 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335026026 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335053921 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335055113 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335083008 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335105896 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335109949 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335131884 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335139036 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335165977 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335189104 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335206032 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335233927 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335259914 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335259914 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.335283995 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.335316896 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.452761889 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.452819109 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.452833891 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.452876091 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.453080893 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.453135014 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.453139067 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.453197002 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.453223944 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.453279018 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.453711033 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.453768015 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.454098940 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.454154015 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.454222918 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.454250097 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.454277039 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.454303026 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.454319954 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.454351902 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.454371929 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.454400063 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.454421043 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.454482079 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.454535961 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.454590082 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455192089 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455248117 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455290079 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455348015 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455379963 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455432892 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455444098 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455472946 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455497026 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455501080 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455528975 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455530882 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455554962 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455583096 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455584049 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455610991 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455638885 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455642939 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455671072 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455678940 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455701113 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455718994 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455718994 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455751896 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455770016 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455797911 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455802917 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455830097 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455879927 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455888033 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455907106 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455938101 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455955982 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.455957890 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.455982924 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456007957 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456022978 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456031084 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456058979 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456085920 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456108093 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456110954 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456135035 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456160069 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456185102 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456186056 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456212044 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456237078 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456254959 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456259966 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456286907 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456309080 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456319094 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456341028 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456346989 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456367970 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456398964 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456417084 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456444979 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456466913 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456471920 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456499100 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456523895 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456561089 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456571102 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456598997 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456619978 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456625938 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456646919 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456653118 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456676006 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456681967 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456707954 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456731081 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456738949 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456759930 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456785917 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456788063 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456813097 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456815004 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456856966 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456887007 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456914902 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456931114 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456942081 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456954002 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.456959963 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456984043 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.456995010 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457003117 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457009077 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457041979 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457061052 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457103014 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457151890 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457192898 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457206011 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457246065 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457256079 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457262039 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457274914 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457289934 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457312107 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457323074 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457325935 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457339048 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457340956 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457371950 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457393885 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457405090 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457417011 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457453012 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457469940 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457480907 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457493067 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457530022 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457542896 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457542896 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457576036 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457585096 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457612991 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457628012 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457655907 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457676888 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457689047 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457720995 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457742929 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457779884 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457779884 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457792997 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457837105 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457842112 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457854986 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457866907 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457884073 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.457894087 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457926035 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.457942963 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458002090 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458015919 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458029985 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458051920 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458069086 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458085060 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458085060 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458097935 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458110094 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458121061 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458156109 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458168030 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458190918 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458204031 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458215952 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458228111 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458250999 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458292007 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458498001 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458511114 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458522081 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458544016 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458547115 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458555937 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458568096 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458579063 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458585978 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458590984 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458597898 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458622932 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458645105 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458650112 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458672047 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458695889 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458722115 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458806038 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458841085 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458888054 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458944082 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458956957 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458981991 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.458987951 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.458993912 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459013939 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459028959 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459043980 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459050894 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459103107 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459158897 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459172010 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459209919 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459230900 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459233999 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459244013 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459275961 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459280014 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459295034 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459300995 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459331036 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459342003 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459342957 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459356070 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459377050 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459389925 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459393024 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459404945 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459423065 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459434986 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459435940 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459482908 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459516048 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459542036 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459553957 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.459567070 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459583998 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.459609985 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573066950 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573118925 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573141098 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573184013 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573187113 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573218107 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573246956 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573273897 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573275089 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573307037 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573312044 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573329926 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573334932 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573350906 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573385000 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573425055 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573452950 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573481083 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573508978 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.573509932 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573532104 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.573568106 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575095892 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575124979 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575150967 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575167894 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575400114 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575453997 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575483084 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575510979 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575575113 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575623035 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575670958 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575673103 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575727940 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575789928 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575823069 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575881958 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.575918913 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575947046 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575978041 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.575998068 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.576028109 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.576030016 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.576076984 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.576103926 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.576123953 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.576136112 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.576164961 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.576176882 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.576230049 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.576278925 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.576518059 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.576973915 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577002048 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577028990 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577045918 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577157974 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577186108 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577208996 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577240944 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577302933 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577330112 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577353001 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577387094 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577429056 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577456951 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577480078 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577503920 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577553034 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577580929 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577595949 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577630997 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577682018 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577717066 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577732086 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577760935 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577765942 CET	49730	2227	192.168.2.4	185.244.212.106
Nov 26, 2024 00:19:13.577790976 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577879906 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577908039 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577956915 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.577982903 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578016996 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578129053 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578157902 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578186989 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578217983 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578244925 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578294992 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578321934 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578483105 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578509092 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578547001 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578576088 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578625917 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578659058 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578712940 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578761101 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578866005 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578892946 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.578924894 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579020977 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579050064 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579077005 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579159021 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579272985 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579395056 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579422951 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579480886 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579508066 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579539061 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579566002 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579616070 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579643965 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579685926 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579736948 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579766989 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579857111 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.579973936 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580002069 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580030918 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580058098 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580108881 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580137014 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580185890 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580213070 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580239058 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580265999 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580315113 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580342054 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580442905 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580492973 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580564976 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580593109 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580641985 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580668926 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580694914 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580744982 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580771923 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580799103 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580830097 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.580858946 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581044912 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581072092 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581120968 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581147909 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581197023 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581223965 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581314087 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581341982 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581397057 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581423998 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581455946 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581481934 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581556082 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581583977 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581634045 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581660032 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581711054 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581737041 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581788063 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581815004 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581954002 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.581979990 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582130909 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582158089 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582190037 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582390070 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582417011 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582443953 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582493067 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582520008 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582628965 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582654953 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582807064 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582834959 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582884073 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582911968 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.582956076 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583039045 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583085060 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583133936 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583223104 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583272934 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583317041 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583337069 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583388090 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583431005 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583458900 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583484888 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583518028 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583558083 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583584070 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583611965 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583673000 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583699942 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583739042 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583774090 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583800077 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583827972 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583853960 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583904028 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583930016 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583956957 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.583997011 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584022045 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584047079 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584073067 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584121943 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584148884 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584177017 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584203005 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584229946 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584256887 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584284067 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584311008 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584336996 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584388971 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584414959 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584441900 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584467888 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584495068 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584521055 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584547997 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584598064 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584636927 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584664106 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584690094 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584716082 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584743023 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584769011 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584794998 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584844112 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584872007 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.584975958 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585002899 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585031033 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585057020 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585083961 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585109949 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585136890 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585163116 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585190058 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585216045 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585267067 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585294008 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.585319996 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.692981005 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693063021 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693104029 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693154097 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693320990 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693404913 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693456888 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693485022 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693533897 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693559885 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693612099 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693639994 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693689108 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693716049 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693767071 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693794966 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693845987 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693872929 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693921089 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.693945885 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.694907904 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.694957972 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695009947 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695059061 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695171118 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695199013 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695247889 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695275068 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695305109 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695554018 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695583105 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695609093 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695636988 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695688009 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695713997 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695741892 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695789099 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695815086 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695842028 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695868015 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695920944 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695946932 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.695997000 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696027994 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696054935 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696085930 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696185112 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696212053 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696389914 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696417093 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696798086 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696850061 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696882010 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696930885 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.696990013 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697037935 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697148085 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697175026 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697206974 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697271109 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697302103 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697365999 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697400093 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697451115 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697609901 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697637081 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697695971 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697743893 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697792053 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697822094 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697901964 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697927952 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.697962046 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698009968 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698074102 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698100090 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698204994 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698231936 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698263884 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698313951 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698345900 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698374987 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698498964 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698527098 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698575974 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698604107 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698635101 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698683977 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698717117 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698764086 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698885918 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698914051 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698946953 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.698995113 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699134111 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699161053 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699218988 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699223995 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699376106 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699429035 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699469090 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699520111 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699606895 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699634075 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699690104 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699717045 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699764967 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699791908 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699840069 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699866056 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699911118 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.699959040 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700006962 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700032949 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700119019 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700146914 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700232983 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700259924 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700310946 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700337887 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700366020 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700392962 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700444937 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700472116 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700503111 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700529099 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700579882 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700612068 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700639009 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.700665951 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.741061926 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.749629021 CET	2227	49730	185.244.212.106	192.168.2.4
Nov 26, 2024 00:19:13.749701023 CET	49730	2227	192.168.2.4	185.244.212.106

Target ID:	0
Start time:	18:18:58
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xbf0000
File size:	30'208 bytes
MD5 hash:	472277A6072A8CFA733117FF1597C8DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000000.1664708303.0000000000BF7000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	27.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35.7%
Total number of Nodes:	384
Total number of Limit Nodes:	8

Executed Functions

Function 00BF4C2D Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,00BF489D), ref: 00BF4771
Part of subcall function 00BF475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,00BF489D), ref: 00BF477E

KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00BF4C9E
GetSystemMetrics.USER32(0000004D), ref: 00BF4CA5
GetDC.USER32(00000000), ref: 00BF4CE0
GetCurrentObject.GDI32(00000000,00000007), ref: 00BF4CF3
GetObjectW.GDI32(00000000,00000018,?), ref: 00BF4D0C
DeleteObject.GDI32(00000000), ref: 00BF4D3E
CreateCompatibleDC.GDI32(00000000), ref: 00BF4D9F
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00BF4DC0
SelectObject.GDI32(00000000,00000000), ref: 00BF4DD2
BitBlt.GDI32(00000000,00000000,00000000,?,00BF24F5,00000000,?,?,00CC0020), ref: 00BF4DF7

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

Part of subcall function 00BF3E03: EnterCriticalSection.KERNEL32(00BF84D4,?,0000011C), ref: 00BF3E15

Part of subcall function 00BF35C3: GetProcessHeap.KERNEL32(00000000,00000000,00BF26DC), ref: 00BF35CA
Part of subcall function 00BF35C3: RtlFreeHeap.NTDLL(00000000), ref: 00BF35D1

DeleteObject.GDI32(00000000), ref: 00BF4E95
DeleteDC.GDI32(00000000), ref: 00BF4E9C
ReleaseDC.USER32(00000000,00000000), ref: 00BF4EA5

Strings

gdi3, xrefs: 00BF4C49
U, xrefs: 00BF4C5E
er32, xrefs: 00BF4C65
6, xrefs: 00BF4D84
(, xrefs: 00BF4D78
2, xrefs: 00BF4C55
- ScreenSize: {lWidth=%d, lHeight=%d}, xrefs: 00BF4D28

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
API String ID: 1387450592-1028866296
Opcode ID: 7a0585fc6b997327920cf6beafd53e3c44a72cd3d4aa803a82243486637fb6fb
Instruction ID: da91b053b38a5e8fb17aa67398d7ae6f5ce12a792e2ca86fe346506b625a714d
Opcode Fuzzy Hash: 7a0585fc6b997327920cf6beafd53e3c44a72cd3d4aa803a82243486637fb6fb
Instruction Fuzzy Hash: D5716C71E0020CAADB25DBA4DC56FBEBBB9EF44700F104499E605FB291DF749A08CB65

Function 00BF1000 Relevance: 21.7, APIs: 4, Strings: 8, Instructions: 700
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,?), ref: 00BF13D1

Part of subcall function 00BF4108: GetFileAttributesW.KERNELBASE(01420DC8,00BF1035,01420DC8,?), ref: 00BF4109

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

FindFirstFileW.KERNELBASE(00000000,?,01420DC8,?), ref: 00BF1161

Part of subcall function 00BF3F87: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00BF3FE8
Part of subcall function 00BF3F87: FindNextFileW.KERNEL32(00BF179D,?), ref: 00BF4089

EnterCriticalSection.KERNEL32(00BF84D4), ref: 00BF16F5
LeaveCriticalSection.KERNEL32(00BF84D4), ref: 00BF170E

Strings

Discord/, xrefs: 00BF13AF
%s\*, xrefs: 00BF112A
7a?=, xrefs: 00BF1364
$Lr, xrefs: 00BF1281
7a?=, xrefs: 00BF1730
%s\%s, xrefs: 00BF11A2
%s%s, xrefs: 00BF150B, 00BF1854, 00BF19EA, 00BF1A4F
Telegram, xrefs: 00BF16FB

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$7a?=$Discord/$Telegram
API String ID: 1893179121-60960798
Opcode ID: 268fb6376e21f6583ecfec54a6aae19ed1d9337c54527caae6098a5ff16f1cf2
Instruction ID: 40cb7b6dd97a2e51880993b7bf7179fbb7e5ed27c09e048ab980d38039ac1257
Opcode Fuzzy Hash: 268fb6376e21f6583ecfec54a6aae19ed1d9337c54527caae6098a5ff16f1cf2
Instruction Fuzzy Hash: 8432D761E0021CA6DF24EB688891BBDB3F5DF50710F144DDAEA05E7291EF748E8C8B95

Function 00BF20E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

GetCurrentHwProfileA.ADVAPI32(?), ref: 00BF2198
GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 00BF21BF
GlobalMemoryStatusEx.KERNELBASE(?), ref: 00BF21F3
EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 00BF2275

Strings

@, xrefs: 00BF21EA
- HWID: %s, xrefs: 00BF21AC
- RAM: %d GB, xrefs: 00BF220A
- VideoAdapter #%d: %s, xrefs: 00BF2241
- CPU: %s (%d cores), xrefs: 00BF21D1

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
API String ID: 330852582-565344305
Opcode ID: 5d6999c619f1a3a01d7788199fdb6b3ff12ec1bbea9d9a228b5f5d8231d0927b
Instruction ID: ad6dbbbc083aebf5ad13228525890c434cb19c7a6f9cc6b7354f9c0e68c24487
Opcode Fuzzy Hash: 5d6999c619f1a3a01d7788199fdb6b3ff12ec1bbea9d9a228b5f5d8231d0927b
Instruction Fuzzy Hash: 27418371548309ABD724DF24CC85FBBB7E8EBC4710F10499DFA459B241EB309A58C7A6

Function 00BF4EB2 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,00BF84D4,?), ref: 00BF4F58
EnterCriticalSection.KERNEL32(00BF84D4), ref: 00BF5014

Part of subcall function 00BF4EB2: LeaveCriticalSection.KERNEL32(00BF84D4), ref: 00BF5031

FindNextFileW.KERNELBASE(?,?), ref: 00BF5200

Part of subcall function 00BF4108: GetFileAttributesW.KERNELBASE(01420DC8,00BF1035,01420DC8,?), ref: 00BF4109

Strings

%s\*, xrefs: 00BF4F42
%s\%s, xrefs: 00BF4F72
Telegram, xrefs: 00BF501A

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
String ID: %s\%s$%s\*$Telegram
API String ID: 648860119-4994844
Opcode ID: bee35ce7aa719e8c5cd4990f8960e5851fe6eedb5331004cae3467f1b30ce8f1
Instruction ID: 3952150672c48905f2eee6cf30a010643ef7e8d251b95681373d846feeb50c2d
Opcode Fuzzy Hash: bee35ce7aa719e8c5cd4990f8960e5851fe6eedb5331004cae3467f1b30ce8f1
Instruction Fuzzy Hash: 31A16521A5434CA9EF10DBA4EC46BBE73B5EF54710F10509AE604EB2A1EFB10F49C759

Function 00BF1DC9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?), ref: 00BF1E10

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

FindNextFileW.KERNELBASE(00000000,?), ref: 00BF1F94

Strings

%s\*, xrefs: 00BF1DF7
%s\%s, xrefs: 00BF1E9B
%s%s, xrefs: 00BF1F4E

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 3555643018-2064654797
Opcode ID: 2be1f8e3499ac96f4f081859e30611fefccd5222a98a9e8bdcb7a6019bbb5afb
Instruction ID: 7bc60f733ec07c66b6a3132d81a07f2f41b31c628062ce6e4f02fe601b048bd6
Opcode Fuzzy Hash: 2be1f8e3499ac96f4f081859e30611fefccd5222a98a9e8bdcb7a6019bbb5afb
Instruction Fuzzy Hash: 9D41AF71208209ABC714EB28D855A3E77E8EF94740F044DADFA85C72A1EF31DA5CC796

Function 00BF1D21 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,00BF489D), ref: 00BF4771
Part of subcall function 00BF475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,00BF489D), ref: 00BF477E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00BF1D80
CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 00BF1DB6

Strings

Poverty is the parent of crime., xrefs: 00BF1D9F
CRYPT32.dll, xrefs: 00BF1D4F

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
String ID: CRYPT32.dll$Poverty is the parent of crime.
API String ID: 3642467563-1885057629
Opcode ID: 208b4adfb501df7aadac974075eb6140fa1f5e6eea50d9d57f25da1a0ed542a8
Instruction ID: eb67b90895b30cf763c218689322731c03e206ac37ded1094e72738cb5bdb8ef
Opcode Fuzzy Hash: 208b4adfb501df7aadac974075eb6140fa1f5e6eea50d9d57f25da1a0ed542a8
Instruction Fuzzy Hash: B2111FB5D0020DABDB10DF99C8859FFBBFCFB44350F5049AAE945A3240EB705E09CAA0

Function 00BF3595 Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID:
API String ID: 1367039788-0
Opcode ID: 20a399060a88eccf731cfba6fcaa90eeefafa250c5cd08bda2aa467eef7ee35b
Instruction ID: a2fc469866e7dbecd83995949b8a0cfb9bcdc5a0db2daf7fcdc3244231bbc19d
Opcode Fuzzy Hash: 20a399060a88eccf731cfba6fcaa90eeefafa250c5cd08bda2aa467eef7ee35b
Instruction Fuzzy Hash: 57D0C73364812067DB5017F9BC0CDBBBF6CEF9566170500D6F205C3160CEA44C05C7A0

Function 00BF2282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00BF84D4,00000DA3), ref: 00BF2297
CreateMutexA.KERNELBASE(00000000,00000000,085f229d-d27d-4fc1-9dc1-8958125ccbd9), ref: 00BF22AF
GetLastError.KERNEL32 ref: 00BF22C2

Strings

$, xrefs: 00BF25FD
$d.log, xrefs: 00BF2678
- UserAgent: %s, xrefs: 00BF25B3
- OperationSystem: %d:%d:%d, xrefs: 00BF232A
Browser, xrefs: 00BF25F3
085f229d-d27d-4fc1-9dc1-8958125ccbd9, xrefs: 00BF22A6, 00BF2612
shell32, xrefs: 00BF23E5
kernel32, xrefs: 00BF2439
@, xrefs: 00BF25DE

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$085f229d-d27d-4fc1-9dc1-8958125ccbd9$@$Browser$kernel32$shell32
API String ID: 2005177960-2855694024
Opcode ID: e0aeed097201a119827146e0b86c39f95ff3083383b9711d9be083641ac57338
Instruction ID: d53255ce9e5c20d4069ae842e0db7bf6afaac79e48b954913f11be9d522d1c5f
Opcode Fuzzy Hash: e0aeed097201a119827146e0b86c39f95ff3083383b9711d9be083641ac57338
Instruction Fuzzy Hash: 43C1AE3094424DAAEB14EBA4DC1ABBD7BF5AF15701F1400D8E701AB2E2DFB54A4CCB65

Function 00BF53F8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,00BF489D), ref: 00BF4771
Part of subcall function 00BF475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,00BF489D), ref: 00BF477E

WSAStartup.WS2_32(00000202,?), ref: 00BF54E0
socket.WS2_32(?,00000001,00000000), ref: 00BF550F
connect.WS2_32(000000FF,?,00000010), ref: 00BF554E
send.WS2_32(000000FF,00000000,00000000), ref: 00BF5570
send.WS2_32(000000FF,000000FF,106,00000000), ref: 00BF558C
closesocket.WS2_32(000000FF), ref: 00BF55BC

Strings

185.244.212.106, xrefs: 00BF5523
ws2_32.dll, xrefs: 00BF5473
106, xrefs: 00BF557B, 00BF557F

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: send$HandleLibraryLoadModuleStartupclosesocketconnectsocket
String ID: 106$185.244.212.106$ws2_32.dll
API String ID: 653765639-2093737415
Opcode ID: 456372846b447d6fe5d37fe22b9c445d8f23eb01fd77e19eceae7dd916fa5b6a
Instruction ID: 2f7c292c9b9ddff3cb22eec7c14f09291ab0ecef97f482e04fca0c41682f3892
Opcode Fuzzy Hash: 456372846b447d6fe5d37fe22b9c445d8f23eb01fd77e19eceae7dd916fa5b6a
Instruction Fuzzy Hash: FF51A130D4428DEEEB128BE8D8097FDBFB99F15314F144089E660AE2D1C7B5474ACB65

Function 00BF44F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF4108: GetFileAttributesW.KERNELBASE(01420DC8,00BF1035,01420DC8,?), ref: 00BF4109

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

EnterCriticalSection.KERNEL32(00BF84D4), ref: 00BF4580
LeaveCriticalSection.KERNEL32(00BF84D4), ref: 00BF45CC
EnterCriticalSection.KERNEL32(00BF84D4), ref: 00BF464F
LeaveCriticalSection.KERNEL32(00BF84D4), ref: 00BF4688
EnterCriticalSection.KERNEL32(00BF84D4), ref: 00BF46C5
LeaveCriticalSection.KERNEL32(00BF84D4), ref: 00BF4708
EnterCriticalSection.KERNEL32(00BF84D4), ref: 00BF4721
LeaveCriticalSection.KERNEL32(00BF84D4), ref: 00BF474A

Part of subcall function 00BF4377: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,00BF45FF), ref: 00BF4390
Part of subcall function 00BF4377: GetProcAddress.KERNEL32(00000000), ref: 00BF4399
Part of subcall function 00BF4377: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,00BF45FF), ref: 00BF43AA
Part of subcall function 00BF4377: GetProcAddress.KERNEL32(00000000), ref: 00BF43AD
Part of subcall function 00BF4377: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,00BF45FF), ref: 00BF442F
Part of subcall function 00BF4377: GetCurrentProcess.KERNEL32(00BF45FF,00000000,00000000,00000002,?,?,?,?,00BF45FF), ref: 00BF444B
Part of subcall function 00BF4377: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,00BF45FF), ref: 00BF445A
Part of subcall function 00BF4377: CloseHandle.KERNEL32(00BF45FF,?,?,?,?,00BF45FF), ref: 00BF448A

Part of subcall function 00BF35C3: GetProcessHeap.KERNEL32(00000000,00000000,00BF26DC), ref: 00BF35CA
Part of subcall function 00BF35C3: RtlFreeHeap.NTDLL(00000000), ref: 00BF35D1

Strings

\Network\Cookies, xrefs: 00BF45EC
@, xrefs: 00BF4566
\??\%s, xrefs: 00BF452F

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
String ID: @$\??\%s$\Network\Cookies
API String ID: 330363434-2791195959
Opcode ID: cb1a79caf202156c831fb31a10977095f4b3e7f2655f619a0267ca5a0fad0822
Instruction ID: ba8543ecf718e14f58abc5929feea02c6b1ae7d53a2cfeb48c526504243e1ec5
Opcode Fuzzy Hash: cb1a79caf202156c831fb31a10977095f4b3e7f2655f619a0267ca5a0fad0822
Instruction Fuzzy Hash: B471F67194420DAFEB049FA0DC4ABBD7BF6EB44705F108095FA01AB2E1DF709A49CB50

Function 00BF48D6 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,00BF2351), ref: 00BF48F7

Part of subcall function 00BF475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,00BF489D), ref: 00BF4771
Part of subcall function 00BF475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,00BF489D), ref: 00BF477E

GetCurrentProcess.KERNEL32(00BF2351), ref: 00BF496B
IsWow64Process.KERNEL32(00000000), ref: 00BF4972

Strings

ntdl, xrefs: 00BF4914
l, xrefs: 00BF4917

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
String ID: l$ntdl
API String ID: 1207166019-924918826
Opcode ID: 1970d2a2da0ccec706bdeca1b489fbfab8a3d79421802ed8e007f6098b359109
Instruction ID: 4643989bd8c70b58e42161705af0ad30554d5c5042a6b50d48a03b363ec4f825
Opcode Fuzzy Hash: 1970d2a2da0ccec706bdeca1b489fbfab8a3d79421802ed8e007f6098b359109
Instruction Fuzzy Hash: 2581903064520A9AEB249B54ED5577B33E8FF42B14F20589AE305DB7E1DFF48988C706

Function 00BF475F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,00BF489D), ref: 00BF4771
LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,00BF489D), ref: 00BF477E

Strings

ntdl, xrefs: 00BF476C, 00BF477D

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: ntdl
API String ID: 4133054770-3973061744
Opcode ID: 7c11d31d2b411e40f6b941701141c13e8da2f37c6fb8e90d1863938f86d119c0
Instruction ID: 7c8f96149e494bf455df71e8008855b8c700bcba12ab1b8793fd142c13e71996
Opcode Fuzzy Hash: 7c11d31d2b411e40f6b941701141c13e8da2f37c6fb8e90d1863938f86d119c0
Instruction Fuzzy Hash: BC31DE35E00619DBCB14CFA9C490ABEB7F0FF49710F04029AD555A3341C734AD59CBA0

Function 00BF35C3 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00BF26DC), ref: 00BF35CA
RtlFreeHeap.NTDLL(00000000), ref: 00BF35D1

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 10d41470a652375a5eed2e25c01b3bf3a5fda6a23fad1a062453153653a5b98e
Instruction ID: 2f73b1a717f361d25525aa601c2360d7dcf15b4195c2b988131e9033c9090d03
Opcode Fuzzy Hash: 10d41470a652375a5eed2e25c01b3bf3a5fda6a23fad1a062453153653a5b98e
Instruction Fuzzy Hash: AFB0127068D1006BEE081FF09D0DB3E3658EF40703F1010C8F302D3450CE684504C620

Function 00BF4108 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(01420DC8,00BF1035,01420DC8,?), ref: 00BF4109

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 446190d1d739a37467e5764d21731a66c50ca80e29e45d3105d82d7a1fbf70c0
Instruction ID: a2d190b3212861a0b1bd1e170fb87b6185402e01b9585e6e98dddbafcc002def
Opcode Fuzzy Hash: 446190d1d739a37467e5764d21731a66c50ca80e29e45d3105d82d7a1fbf70c0
Instruction Fuzzy Hash: 3BA022380302008BCA2C03300F2A02E30000E0A3F03220BCCF033CA0E0EE28C2808000

Non-executed Functions

Function 00BF3F87 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF4108: GetFileAttributesW.KERNELBASE(01420DC8,00BF1035,01420DC8,?), ref: 00BF4109

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00BF3FE8
FindNextFileW.KERNEL32(00BF179D,?), ref: 00BF4089

Strings

%s\*, xrefs: 00BF3FD2
%s\%s, xrefs: 00BF4022
%s%s, xrefs: 00BF40D2

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 674214967-2064654797
Opcode ID: 43b6850c7560e8f136bfb9c7ab965f8806e50061723f50f0e7d227cdbbdf3d83
Instruction ID: 6c39ee3a9cd7f0516a8a16d055f7913f4e0a78b36377e47e2ee64ea1d45b2a63
Opcode Fuzzy Hash: 43b6850c7560e8f136bfb9c7ab965f8806e50061723f50f0e7d227cdbbdf3d83
Instruction Fuzzy Hash: AB31AC71A0422CB7DB21AA74CC49ABEB7E5DF84B40F0401E8EB0597291EF358F4D8B91

Function 00BF4145 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00BF4198
FindNextFileW.KERNEL32(000000FF,?), ref: 00BF41E4

Part of subcall function 00BF35C3: GetProcessHeap.KERNEL32(00000000,00000000,00BF26DC), ref: 00BF35CA
Part of subcall function 00BF35C3: RtlFreeHeap.NTDLL(00000000), ref: 00BF35D1

Strings

%s\*, xrefs: 00BF4182
%s\%s, xrefs: 00BF41F8

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: FileFindHeap$FirstFreeNextProcess
String ID: %s\%s$%s\*
API String ID: 1689202581-2848263008
Opcode ID: 508e5e00773241f9840d6c88a50ceb59e2858167ed116ad66369a721b588e10d
Instruction ID: 818b2689c6e83d8119a5a0e3376089b9108b125970c495c6665d949dd57f673d
Opcode Fuzzy Hash: 508e5e00773241f9840d6c88a50ceb59e2858167ed116ad66369a721b588e10d
Instruction Fuzzy Hash: F4319470B1021CABCB20AE68C895A7E7BE9EF55740F5004F9AA05D7252DF748E598B90

Function 00BF4377 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,00BF45FF), ref: 00BF4390
GetProcAddress.KERNEL32(00000000), ref: 00BF4399
GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,00BF45FF), ref: 00BF43AA
GetProcAddress.KERNEL32(00000000), ref: 00BF43AD

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,00BF45FF), ref: 00BF442F
GetCurrentProcess.KERNEL32(00BF45FF,00000000,00000000,00000002,?,?,?,?,00BF45FF), ref: 00BF444B
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,00BF45FF), ref: 00BF445A
CloseHandle.KERNEL32(00BF45FF,?,?,?,?,00BF45FF), ref: 00BF448A
GetCurrentProcess.KERNEL32(00BF45FF,00000000,00000000,00000001,?,?,?,?,00BF45FF), ref: 00BF4498
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,00BF45FF), ref: 00BF44A7
CloseHandle.KERNEL32(?,?,?,?,?,00BF45FF), ref: 00BF44BA
CloseHandle.KERNEL32(000000FF), ref: 00BF44DD
CloseHandle.KERNEL32(?), ref: 00BF44E5

Strings

NtQueryObject, xrefs: 00BF439B
NtQuerySystemInformation, xrefs: 00BF4386
ntdll, xrefs: 00BF438B, 00BF43A2

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
String ID: NtQueryObject$NtQuerySystemInformation$ntdll
API String ID: 3110323036-2044536123
Opcode ID: 3886dfacce4e46f73f9c7d83336af09827d29e0ff879c36add8869de42358b64
Instruction ID: 6e2897fef489b1c3bc31cf81350546d5a33b3183f050492b056940a956d8add6
Opcode Fuzzy Hash: 3886dfacce4e46f73f9c7d83336af09827d29e0ff879c36add8869de42358b64
Instruction Fuzzy Hash: 91414B71A4021DABDB109BA58C45EBFBBF9EF44710F1441A5E605E32A0DF74DE58CBA0

Function 00BF2A1E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00BF2B09

Strings

(null), xrefs: 00BF2C14
0123456789ABCDEF, xrefs: 00BF2A85
0123456789abcdef, xrefs: 00BF2A7E
(null), xrefs: 00BF2B9A

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-1267642376
Opcode ID: b297609e05fce8bbe0f8531b8e3f8724e4ad91f93dd5c88410e5f0a2d713177d
Instruction ID: 674e4426666899c187035a24783b8a23de0c58712760c0a25726d14e5018aa69
Opcode Fuzzy Hash: b297609e05fce8bbe0f8531b8e3f8724e4ad91f93dd5c88410e5f0a2d713177d
Instruction Fuzzy Hash: C591A57160470ACFDB25CF29C48063ABBE5FF84344F2449AEEA9A87651D770EC89CB51

Function 00BF1FBA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32 ref: 00BF201D
GetKeyboardLayoutList.USER32(00000032,?), ref: 00BF207F

Strings

- SystemLayout %d, xrefs: 00BF2059
), xrefs: 00BF20CF
{%d} , xrefs: 00BF20B2
- KeyboardLayouts: ( , xrefs: 00BF2068

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: DefaultKeyboardLanguageLayoutListUser
String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
API String ID: 167087913-619012376
Opcode ID: 9f68f3d280acdd19483fa6ddc1adc96a8770a6866a2907828e57dda2d0e29635
Instruction ID: 3606af52355683980e0c0309da8a832341341953bc73cca2236ddbe952695267
Opcode Fuzzy Hash: 9f68f3d280acdd19483fa6ddc1adc96a8770a6866a2907828e57dda2d0e29635
Instruction Fuzzy Hash: A131DF5094828CBADB009FF894027FDBBB0EF14701F0050D6F648EB282DA794B9DD76A

Function 00BF3111 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

x, xrefs: 00BF3451

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 9ea2292d0356ca377097b0acb4f0d797a816406d7cafc007a52ddb58521e7d89
Instruction ID: c1ba30c826e0963096c135485f406e3c9512be59283a8ac8ff712e80b809f1b5
Opcode Fuzzy Hash: 9ea2292d0356ca377097b0acb4f0d797a816406d7cafc007a52ddb58521e7d89
Instruction Fuzzy Hash: F1029C74E0421EEFCB45CFA8C985AADBBF4FB09704F108496E926EB250D730AA55CF51

Function 00BF2C95 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00BF2ECA

Strings

x, xrefs: 00BF2FBF

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
String ID: x
API String ID: 1990697408-2363233923
Opcode ID: a0a838e3310b0278bbe3eef13c0f6d000d35d3bce5d12f2252ded5edbd28ed29
Instruction ID: 237ac1b824c853f063602569262fc2fe888d4e2e3e24b062f7450d75750fcd52
Opcode Fuzzy Hash: a0a838e3310b0278bbe3eef13c0f6d000d35d3bce5d12f2252ded5edbd28ed29
Instruction Fuzzy Hash: D002AF7490424DEFCF41CFA8C985AADBBF0FB09300F248496E965EB350D730AA55CB61

Function 00BF3DA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,00BF3E4E,00000000,?,0000011C), ref: 00BF3DC1

Part of subcall function 00BF3595: EnterCriticalSection.KERNEL32(00BF84D4,?,?,00BF3C72,?,00BF22DE), ref: 00BF359F
Part of subcall function 00BF3595: GetProcessHeap.KERNEL32(00000008,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35A8
Part of subcall function 00BF3595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35AF
Part of subcall function 00BF3595: LeaveCriticalSection.KERNEL32(00BF84D4,?,?,?,00BF3C72,?,00BF22DE), ref: 00BF35B8

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,00BF3E4E,00000000,?,0000011C), ref: 00BF3DF7

Strings

$d.log, xrefs: 00BF3DB8, 00BF3DF0

Memory Dump Source

Source File: 00000000.00000002.1789606999.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000000.00000002.1789588950.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789623985.0000000000BF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789640117.0000000000BF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1789654412.0000000000BF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
String ID: $d.log
API String ID: 635875880-1910398676
Opcode ID: 96595d43302cbff2a1ed28285ab170b371534d644e4ee538da637cd00152b281
Instruction ID: 342d4be9970ba1b68e48cfcbedb37486198dcc7f0d3cd47bed926c7a2f48c1e9
Opcode Fuzzy Hash: 96595d43302cbff2a1ed28285ab170b371534d644e4ee538da637cd00152b281
Instruction Fuzzy Hash: 4FF05EB16051257FA7245A7ADC19C777AEDDBC5B7130542A9BD19CB2D4DD209C0482B0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106

Source: file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.1872415526.000000000CEEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.1794705574.0000000009FF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1829020053.000000000B74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1855013914.000000000C6D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Poverty Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
file.exe

Function 00BF4C2D Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Function 00BF1000 Relevance: 21.7, APIs: 4, Strings: 8, Instructions: 700
fileCOMMON

Function 00BF20E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Function 00BF4EB2 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Function 00BF1DC9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Function 00BF1D21 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Function 00BF3595 Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Function 00BF2282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Function 00BF53F8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
networkCOMMON

Function 00BF44F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Function 00BF48D6 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231
memoryCOMMON

Function 00BF475F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Function 00BF35C3 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Function 00BF4108 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON