Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
v_dolg.exe

Overview

General Information

Sample name:v_dolg.exe
Analysis ID:1577367
MD5:378706614b22957208e09fc84fceece8
SHA1:d35e1f89f36aed26553b665f791cd69d82136fb8
SHA256:df6e6d5bead4aa34f8e0dd325400a5829265b0f615cd1da48d155cc30b89ad6d
Tags:18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • v_dolg.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\v_dolg.exe" MD5: 378706614B22957208E09FC84FCEECE8)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["impend-differ.biz", "print-vexer.biz", "se-blurry.biz", "dare-curbys.biz", "zinc-sneark.biz", "covery-mover.biz", "dwell-exclaim.biz", "formy-spill.biz"], "Build id": "7Tl6Mk--legeng"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:23.274508+010020283713Unknown Traffic192.168.2.74980323.55.153.106443TCP
      2024-12-18T12:42:25.743411+010020283713Unknown Traffic192.168.2.749812172.67.157.254443TCP
      2024-12-18T12:42:27.328996+010020283713Unknown Traffic192.168.2.749818172.67.157.254443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:26.550676+010020546531A Network Trojan was detected192.168.2.749812172.67.157.254443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:26.550676+010020498361A Network Trojan was detected192.168.2.749812172.67.157.254443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:20.566681+010020579731Domain Observed Used for C2 Detected192.168.2.7544221.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:19.428975+010020579751Domain Observed Used for C2 Detected192.168.2.7600171.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:20.123421+010020579791Domain Observed Used for C2 Detected192.168.2.7562171.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:20.338320+010020579771Domain Observed Used for C2 Detected192.168.2.7495471.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:21.039707+010020579691Domain Observed Used for C2 Detected192.168.2.7569121.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:20.804369+010020579711Domain Observed Used for C2 Detected192.168.2.7642761.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:19.669772+010020579831Domain Observed Used for C2 Detected192.168.2.7618331.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:19.906169+010020579811Domain Observed Used for C2 Detected192.168.2.7522131.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-18T12:42:24.067183+010028586661Domain Observed Used for C2 Detected192.168.2.74980323.55.153.106443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: v_dolg.exeAvira: detected
      Found malware configuration
      Source: 1.2.v_dolg.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["impend-differ.biz", "print-vexer.biz", "se-blurry.biz", "dare-curbys.biz", "zinc-sneark.biz", "covery-mover.biz", "dwell-exclaim.biz", "formy-spill.biz"], "Build id": "7Tl6Mk--legeng"}
      Multi AV Scanner detection for submitted file
      Source: v_dolg.exeReversingLabs: Detection: 81%
      Machine Learning detection for sample
      Source: v_dolg.exeJoe Sandbox ML: detected
      Sample uses string decryption to hide its real strings
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: impend-differ.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: print-vexer.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: dare-curbys.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: covery-mover.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: formy-spill.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: dwell-exclaim.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: zinc-sneark.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: se-blurry.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: dare-curbys.biz
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
      Source: 00000001.00000002.1864723985.0000000000401000.00000040.00000001.01000000.00000003.sdmpString decryptor: 7Tl6Mk--legeng
      Source: v_dolg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49812 version: TLS 1.2
      Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: v_dolg.exe, 00000001.00000002.1864723985.000000000044E000.00000040.00000001.01000000.00000003.sdmp

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2057949 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.7:52213 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057981 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.7:52213 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.7:49547 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057977 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.7:49547 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057935 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.7:56912 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057943 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.7:64276 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057969 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.7:56912 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057971 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.7:64276 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057945 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.7:61833 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057983 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.7:61833 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057929 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.7:56217 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057979 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.7:56217 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.7:60017 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057975 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.7:60017 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.7:54422 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2057973 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.7:54422 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49812 -> 172.67.157.254:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49812 -> 172.67.157.254:443
      Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49803 -> 23.55.153.106:443
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: impend-differ.biz
      Source: Malware configuration extractorURLs: print-vexer.biz
      Source: Malware configuration extractorURLs: se-blurry.biz
      Source: Malware configuration extractorURLs: dare-curbys.biz
      Source: Malware configuration extractorURLs: zinc-sneark.biz
      Source: Malware configuration extractorURLs: covery-mover.biz
      Source: Malware configuration extractorURLs: dwell-exclaim.biz
      Source: Malware configuration extractorURLs: formy-spill.biz
      Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49812 -> 172.67.157.254:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49818 -> 172.67.157.254:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49803 -> 23.55.153.106:443
      Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: / https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
      Source: v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
      Source: v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=740ec1569cb3c9fe2d825efd; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 18 Dec 2024 11:42:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: user-PC\user/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NoClassInfo CLSID:{0000032A-0000-0000-C000-000000000046} Flags:17 IID:{00000000-0000-0000-C000-000000000046}tps://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=740ec1569cb3c9fe2d825efd; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 18 Dec 2024 11:42:23 GMTDateProxy-Con equals www.youtube.com (Youtube)
      Source: v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: tps://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
      Source: global trafficDNS traffic detected: DNS query: dare-curbys.biz
      Source: global trafficDNS traffic detected: DNS query: se-blurry.biz
      Source: global trafficDNS traffic detected: DNS query: zinc-sneark.biz
      Source: global trafficDNS traffic detected: DNS query: dwell-exclaim.biz
      Source: global trafficDNS traffic detected: DNS query: formy-spill.biz
      Source: global trafficDNS traffic detected: DNS query: covery-mover.biz
      Source: global trafficDNS traffic detected: DNS query: print-vexer.biz
      Source: global trafficDNS traffic detected: DNS query: impend-differ.biz
      Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
      Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
      Source: v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
      Source: v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
      Source: v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fas
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
      Source: v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://impend-differ.biz/api
      Source: v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
      Source: v_dolg.exe, 00000001.00000002.1866244212.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Y
      Source: v_dolg.exe, 00000001.00000002.1866244212.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/a
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000002.1866244212.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
      Source: v_dolg.exe, 00000001.00000002.1866244212.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiO
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiZ;I
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
      Source: v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
      Source: v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
      Source: v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
      Source: v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
      Source: v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
      Source: v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
      Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
      Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49812 version: TLS 1.2
      Source: v_dolg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@10/2
      Source: C:\Users\user\Desktop\v_dolg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: v_dolg.exeReversingLabs: Detection: 81%
      Source: C:\Users\user\Desktop\v_dolg.exeFile read: C:\Users\user\Desktop\v_dolg.exeJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: v_dolg.exeStatic file information: File size 3794944 > 1048576
      Source: v_dolg.exeStatic PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x35b400
      Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: v_dolg.exe, 00000001.00000002.1864723985.000000000044E000.00000040.00000001.01000000.00000003.sdmp

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\v_dolg.exeUnpacked PE file: 1.2.v_dolg.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
      Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
      Source: v_dolg.exeStatic PE information: section name: .MPRESS1
      Source: v_dolg.exeStatic PE information: section name: .MPRESS2

      Boot Survival

      barindex
      Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
      Source: C:\Users\user\Desktop\v_dolg.exeWindow searched: window name: FilemonClassJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeWindow searched: window name: RegmonClassJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\Desktop\v_dolg.exeSystem information queried: FirmwareTableInformationJump to behavior
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\v_dolg.exeAPI/Special instruction interceptor: Address: B5257A
      Source: C:\Users\user\Desktop\v_dolg.exeAPI/Special instruction interceptor: Address: ABF6BE
      Tries to detect sandboxes / dynamic malware analysis system (registry check)
      Source: C:\Users\user\Desktop\v_dolg.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
      Tries to evade debugger and weak emulator (self modifying code)
      Source: C:\Users\user\Desktop\v_dolg.exeSpecial instruction interceptor: First address: 60D88F instructions caused by: Self-modifying code
      Source: C:\Users\user\Desktop\v_dolg.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exe TID: 7944Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exe TID: 7944Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: v_dolg.exe, 00000001.00000003.1392757468.0000000000E00000.00000004.00001000.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1392867189.0000000000E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: v_dolg.exe, 00000001.00000003.1393199475.0000000000E00000.00000004.00001000.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1393317550.0000000000E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
      Source: v_dolg.exe, 00000001.00000002.1865967070.0000000000E9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
      Source: v_dolg.exe, 00000001.00000003.1392972449.0000000000E00000.00000004.00001000.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1393088337.0000000000E00000.00000004.00001000.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1393423549.0000000000E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
      Source: C:\Users\user\Desktop\v_dolg.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Hides threads from debuggers
      Source: C:\Users\user\Desktop\v_dolg.exeThread information set: HideFromDebuggerJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (window names)
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: regmonclass
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: gbdyllo
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: procmon_window_class
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: ollydbg
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: filemonclass
      Source: C:\Users\user\Desktop\v_dolg.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\v_dolg.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeProcess queried: DebugObjectHandleJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\v_dolg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		33
      Virtualization/Sandbox Evasion      		OS Credential Dumping721
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Software Packing      		LSASS Memory33
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable Media3
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account Manager1
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive114
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS223
      System Information Discovery      		Distributed Component Object ModelInput Capture1
      Ingress Tool Transfer      		Traffic DuplicationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      v_dolg.exe82%ReversingLabsWin32.Trojan.Casdet
      v_dolg.exe100%AviraHEUR/AGEN.1314118
      v_dolg.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://lev-tolstoi.com/Y0%Avira URL Cloudsafe
      https://lev-tolstoi.com/api0%Avira URL Cloudsafe
      https://lev-tolstoi.com/0%Avira URL Cloudsafe
      https://community.fas0%Avira URL Cloudsafe
      https://lev-tolstoi.com/a0%Avira URL Cloudsafe
      https://lev-tolstoi.com/apiO0%Avira URL Cloudsafe
      https://lev-tolstoi.com/apiZ;I0%Avira URL Cloudsafe
      https://lev-tolstoi.com:443/api0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      steamcommunity.com
      		23.55.153.106
      		truefalse
        		high
        lev-tolstoi.com
        		172.67.157.254
        		truefalse
          		high
          s-part-0035.t-0009.t-msedge.net
          		13.107.246.63
          		truefalse
            		high
            dare-curbys.biz
            		unknown
            		unknownfalse
              		high
              impend-differ.biz
              		unknown
              		unknownfalse
                		high
                se-blurry.biz
                		unknown
                		unknownfalse
                  		high
                  zinc-sneark.biz
                  		unknown
                  		unknownfalse
                    		high
                    print-vexer.biz
                    		unknown
                    		unknownfalse
                      		high
                      dwell-exclaim.biz
                      		unknown
                      		unknownfalse
                        		high
                        covery-mover.biz
                        		unknown
                        		unknownfalse
                          		high
                          formy-spill.biz
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            dare-curbys.bizfalse
                              		high
                              formy-spill.bizfalse
                                		high
                                https://steamcommunity.com/profiles/76561199724331900false
                                  		high
                                  https://lev-tolstoi.com/apitrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  print-vexer.bizfalse
                                    		high
                                    impend-differ.bizfalse
                                      		high
                                      dwell-exclaim.bizfalse
                                        		high
                                        zinc-sneark.bizfalse
                                          		high
                                          se-blurry.bizfalse
                                            		high
                                            covery-mover.bizfalse
                                              		high

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://player.vimeo.comv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://steamcommunity.com/?subsection=broadcastsv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://store.steampowered.com/subscriber_agreement/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.gstatic.cn/recaptcha/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.valvesoftware.com/legal.htmv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=env_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.youtube.comv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.google.comv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://lev-tolstoi.com/Yv_dolg.exe, 00000001.00000002.1866244212.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englv_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://s.ytimg.com;v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxxv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://steam.tv/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://lev-tolstoi.com/av_dolg.exe, 00000001.00000002.1866244212.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=env_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lev-tolstoi.com/v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://store.steampowered.com/privacy_agreement/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/points/shop/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&av_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://sketchfab.comv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://lv.queniujq.cnv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://steamcommunity.com/profiles/76561199724331900/inventory/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.youtube.com/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://store.steampowered.com/privacy_agreement/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.google.com/recaptcha/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://checkout.steampowered.com/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://impend-differ.biz/apiv_dolg.exe, 00000001.00000002.1865967070.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://store.steampowered.com/;v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://store.steampowered.com/about/v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://community.fasv_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://steamcommunity.com/my/wishlist/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://help.steampowered.com/en/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://steamcommunity.com/market/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://store.steampowered.com/news/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://store.steampowered.com/subscriber_agreement/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://recaptcha.net/recaptcha/;v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://steamcommunity.com/discussions/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://store.steampowered.com/stats/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://medal.tvv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://broadcast.st.dl.eccdnx.comv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&av_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://store.steampowered.com/steam_refunds/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&av_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=ev_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&amp;l=ev_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://steamcommunity.com/workshop/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://login.steampowered.com/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbv_dolg.exe, 00000001.00000003.1833371640.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_cv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://store.steampowered.com/legal/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&amp;l=env_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp;l=engv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&amp;l=english&av_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&amp;l=englv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://recaptcha.netv_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://lev-tolstoi.com/apiZ;Iv_dolg.exe, 00000001.00000002.1865967070.0000000000EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://127.0.0.1:27060v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgv_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifv_dolg.exe, 00000001.00000002.1865967070.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://lev-tolstoi.com:443/apiv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://help.steampowered.com/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://api.steampowered.com/v_dolg.exe, 00000001.00000002.1865967070.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://lev-tolstoi.com/apiOv_dolg.exe, 00000001.00000002.1866244212.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://store.steampowered.com/account/cookiepreferences/v_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1864150774.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://store.steampowered.com/mobilev_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://steamcommunity.com/v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&amp;lv_dolg.exe, 00000001.00000003.1856564409.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, v_dolg.exe, 00000001.00000003.1833331428.0000000000F37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high

                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                    172.67.157.254
                                                                                                                                                                                                                    		lev-tolstoi.comUnited States
                                                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                    23.55.153.106
                                                                                                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                                                                                                    		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                    Analysis ID:1577367
                                                                                                                                                                                                                    Start date and time:2024-12-18 12:40:31 +01:00
                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                    Overall analysis duration:0h 4m 34s
                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                    Number of analysed new started processes analysed:5
                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                    Sample name:v_dolg.exe
                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                    Classification:mal100.troj.evad.winEXE@1/0@10/2
                                                                                                                                                                                                                    EGA Information:Failed
                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                                                                    • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                    • VT rate limit hit for: v_dolg.exe

                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                    06:42:19API Interceptor10x Sleep call for process: v_dolg.exe modified

                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    172.67.157.254random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                        ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                          https://t.co/nq9BYOxCg9Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                            23.55.153.106cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                  alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                    99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                          1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              ardware-v1.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                lev-tolstoi.comCompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                s-part-0035.t-0009.t-msedge.netSetup2.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                clcs.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                stealc_default2.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                F1TwARdSKB.jsGet hashmaliciousMint StealerBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                EXTERNALRe.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                JnEZtj3vtN.exeGet hashmaliciousPureCrypterBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                https://syndiclair-my.sharepoint.com/:o:/g/personal/ml_syndiclair_fr/En8EbZMYpZ5CodZQ05mt4IMBGZHEHcSylnIeMh0DoULmZw?e=UkXb4YGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                Cb89Ti1Mib.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                WErY5oc4hl.ps1Get hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                                                                                steamcommunity.comcccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                ardware-v1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                AKAMAI-ASN1EUcccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                EXTERNALRe.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 23.44.201.32
                                                                                                                                                                                                                                                CLOUDFLARENETUSwinrar-x64-701.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 104.21.80.99
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                winrar-x64-701.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 172.67.177.42
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 104.21.23.76
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                random.exe_Y.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                                • 104.21.64.80
                                                                                                                                                                                                                                                https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossingGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 172.66.0.145
                                                                                                                                                                                                                                                https://www.ispringsolutions.com/ispring-suiteGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 104.21.80.1
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 104.21.66.86

                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1winrar-x64-701.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                cccc2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                CompleteStudio.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                winrar-x64-701.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                alexshlu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                99awhy8l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                random.exe_Y.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                5_6253708004881862888.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                1fxm3u0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                No created / dropped files found

                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                File type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                                Entropy (8bit):7.956425596190051
                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                File name:v_dolg.exe
                                                                                                                                                                                                                                                File size:3'794'944 bytes
                                                                                                                                                                                                                                                MD5:378706614b22957208e09fc84fceece8
                                                                                                                                                                                                                                                SHA1:d35e1f89f36aed26553b665f791cd69d82136fb8
                                                                                                                                                                                                                                                SHA256:df6e6d5bead4aa34f8e0dd325400a5829265b0f615cd1da48d155cc30b89ad6d
                                                                                                                                                                                                                                                SHA512:bef7a09ce1ffd0a0b169a6ec7c143ca322c929139ca0af40353502ae22fed455fe10a9b80ba93cc399a88add94f921b7aa801033ddae351f8f8d477781ca476e
                                                                                                                                                                                                                                                SSDEEP:98304:SaBCZwNZbJRa6YuWjsnxks5HqRhzYc/D2iBTF:SaMwP3YuWwxks5HQD2iz
                                                                                                                                                                                                                                                TLSH:CD0633C25851A6A9E8348571EFD16D447F933C3A86E024DD338EBB2F1633D09E82DA5D
                                                                                                                                                                                                                                                File Content Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L.....Lg.....................J....................@.................................:):..................................................".................................................

                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                Icon Hash:4cda84868282c655

                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Entrypoint:0xc09193
                                                                                                                                                                                                                                                Entrypoint Section:.MPRESS2
                                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                Time Stamp:0x674CEE8B [Sun Dec 1 23:17:31 2024 UTC]
                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                Import Hash:065136716995edc1d4927c94cbed78e4

                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                pushad
                                                                                                                                                                                                                                                call 00007FCCF86BD975h
                                                                                                                                                                                                                                                pop eax
                                                                                                                                                                                                                                                add eax, 00000B5Ah
                                                                                                                                                                                                                                                mov esi, dword ptr [eax]
                                                                                                                                                                                                                                                add esi, eax
                                                                                                                                                                                                                                                sub eax, eax
                                                                                                                                                                                                                                                mov edi, esi
                                                                                                                                                                                                                                                lodsw
                                                                                                                                                                                                                                                shl eax, 0Ch
                                                                                                                                                                                                                                                mov ecx, eax
                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                lodsd
                                                                                                                                                                                                                                                sub ecx, eax
                                                                                                                                                                                                                                                add esi, ecx
                                                                                                                                                                                                                                                mov ecx, eax
                                                                                                                                                                                                                                                push edi
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                dec ecx
                                                                                                                                                                                                                                                mov al, byte ptr [ecx+edi+06h]
                                                                                                                                                                                                                                                mov byte ptr [ecx+esi], al
                                                                                                                                                                                                                                                jne 00007FCCF86BD968h
                                                                                                                                                                                                                                                sub eax, eax
                                                                                                                                                                                                                                                lodsb
                                                                                                                                                                                                                                                mov ecx, eax
                                                                                                                                                                                                                                                and cl, FFFFFFF0h
                                                                                                                                                                                                                                                and al, 0Fh
                                                                                                                                                                                                                                                shl ecx, 0Ch
                                                                                                                                                                                                                                                mov ch, al
                                                                                                                                                                                                                                                lodsb
                                                                                                                                                                                                                                                or ecx, eax
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                add cl, ch
                                                                                                                                                                                                                                                mov ebp, FFFFFD00h
                                                                                                                                                                                                                                                shl ebp, cl
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                pop eax
                                                                                                                                                                                                                                                mov ebx, esp
                                                                                                                                                                                                                                                lea esp, dword ptr [esp+ebp*2-00000E70h]
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                sub ecx, ecx
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                mov ecx, esp
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                mov dx, word ptr [edi]
                                                                                                                                                                                                                                                shl edx, 0Ch
                                                                                                                                                                                                                                                push edx
                                                                                                                                                                                                                                                push edi
                                                                                                                                                                                                                                                add ecx, 04h
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                add ecx, 04h
                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                push ecx
                                                                                                                                                                                                                                                call 00007FCCF86BD9D3h
                                                                                                                                                                                                                                                mov esp, ebx
                                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                                pop edx
                                                                                                                                                                                                                                                sub eax, eax
                                                                                                                                                                                                                                                mov dword ptr [edx+esi], eax
                                                                                                                                                                                                                                                mov ah, 10h
                                                                                                                                                                                                                                                sub edx, eax
                                                                                                                                                                                                                                                sub ecx, ecx
                                                                                                                                                                                                                                                cmp ecx, edx
                                                                                                                                                                                                                                                jnc 00007FCCF86BD998h
                                                                                                                                                                                                                                                mov ebx, ecx
                                                                                                                                                                                                                                                lodsb
                                                                                                                                                                                                                                                inc ecx
                                                                                                                                                                                                                                                and al, FEh
                                                                                                                                                                                                                                                cmp al, E8h
                                                                                                                                                                                                                                                jne 00007FCCF86BD964h
                                                                                                                                                                                                                                                inc ebx
                                                                                                                                                                                                                                                add ecx, 04h
                                                                                                                                                                                                                                                lodsd
                                                                                                                                                                                                                                                or eax, eax
                                                                                                                                                                                                                                                js 00007FCCF86BD978h
                                                                                                                                                                                                                                                cmp eax, edx
                                                                                                                                                                                                                                                jnc 00007FCCF86BD957h
                                                                                                                                                                                                                                                jmp 00007FCCF86BD978h
                                                                                                                                                                                                                                                add eax, ebx
                                                                                                                                                                                                                                                js 00007FCCF86BD951h
                                                                                                                                                                                                                                                add eax, edx
                                                                                                                                                                                                                                                sub eax, ebx
                                                                                                                                                                                                                                                mov dword ptr [esi-04h], eax
                                                                                                                                                                                                                                                jmp 00007FCCF86BD948h
                                                                                                                                                                                                                                                call 00007FCCF86BD975h
                                                                                                                                                                                                                                                pop edi
                                                                                                                                                                                                                                                add edi, FFFFFF4Dh
                                                                                                                                                                                                                                                mov al, E9h
                                                                                                                                                                                                                                                stosb
                                                                                                                                                                                                                                                mov eax, 00000B56h
                                                                                                                                                                                                                                                stosd
                                                                                                                                                                                                                                                call 00007FCCF86BD975h

                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8090000x194.MPRESS2
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x80a0000x42298.rsrc
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x8090a00x30.MPRESS2
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                .MPRESS10x10000x8080000x35b400d118ce912664cfba526b69922019528cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                .MPRESS20x8090000xcfd0xe0018347266d68828049842b746fe81a525False0.5426897321428571data5.764746466183774IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                .rsrc0x80a0000x422980x42400d8123a250cc7d48bb4b2b2ca040ec254False0.5552660672169811data6.099574294470979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                RT_BITMAP0x79f9880x22dfaemptyEnglishIreland0
                                                                                                                                                                                                                                                RT_ICON0x80a1100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.5921669793621013
                                                                                                                                                                                                                                                RT_ICON0x80b1e00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.46303731695795936
                                                                                                                                                                                                                                                RT_ICON0x80f4300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.3523896841358098
                                                                                                                                                                                                                                                RT_ICON0x81fc800xc009PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9946095482191167
                                                                                                                                                                                                                                                RT_ICON0x82bcb40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.47373358348968103
                                                                                                                                                                                                                                                RT_ICON0x82cd840x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.34346953235710914
                                                                                                                                                                                                                                                RT_ICON0x830fd40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.2791612445285697
                                                                                                                                                                                                                                                RT_ICON0x8418240x9455PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.99146762173123
                                                                                                                                                                                                                                                RT_MENU0x8031d80x4aemptyEnglishUnited States0
                                                                                                                                                                                                                                                RT_DIALOG0x8032240xeaemptyEnglishUnited States0
                                                                                                                                                                                                                                                RT_STRING0x8033100x9cempty0
                                                                                                                                                                                                                                                RT_ACCELERATOR0x8033ac0x10emptyEnglishUnited States0
                                                                                                                                                                                                                                                RT_GROUP_ICON0x84adc40x3edataEnglishUnited States0.8225806451612904
                                                                                                                                                                                                                                                RT_GROUP_ICON0x84ae2c0x3edataEnglishUnited States0.8709677419354839
                                                                                                                                                                                                                                                RT_MANIFEST0x84aeac0xe3bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.38594564919022784
                                                                                                                                                                                                                                                None0x8042780xbemptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8042840x103emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8043880x78femptyFrenchFrance0
                                                                                                                                                                                                                                                None0x804b180x4bemptyFrenchFrance0
                                                                                                                                                                                                                                                None0x804b640x238emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x804d9c0x238emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x804fd40x48emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x80501c0x244emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8052600x153emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8053b40x305emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8056bc0x153emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8058100x353emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x805b640x305emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x805e6c0x13cemptyFrenchFrance0
                                                                                                                                                                                                                                                None0x805fa80x238emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8061e00x208emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8063e80x238emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8066200x238emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8068580x208emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x806a600x238empty0
                                                                                                                                                                                                                                                None0x806c980x553empty0
                                                                                                                                                                                                                                                None0x8071ec0x153emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8073400x10demptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8074500x238emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8076880x238emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x8078c00x107empty0
                                                                                                                                                                                                                                                None0x8079c80x11demptyFrenchFrance0
                                                                                                                                                                                                                                                None0x807ae80x252emptyFrenchFrance0
                                                                                                                                                                                                                                                None0x807d3c0x46eempty0
                                                                                                                                                                                                                                                None0x8081ac0x25eemptyFrenchFrance0

                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                KERNEL32.DLLGetModuleHandleA, GetProcAddress
                                                                                                                                                                                                                                                SHELL32.dllSHEmptyRecycleBinW
                                                                                                                                                                                                                                                USER32.dllCloseClipboard
                                                                                                                                                                                                                                                GDI32.dllBitBlt
                                                                                                                                                                                                                                                ole32.dllCoCreateInstance
                                                                                                                                                                                                                                                OLEAUT32.dllSysAllocString

                                                                                                                                                                                                                                                Possible Origin

                                                                                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                EnglishIreland
                                                                                                                                                                                                                                                EnglishUnited States
                                                                                                                                                                                                                                                FrenchFrance

                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                2024-12-18T12:42:19.428975+01002057927ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)1192.168.2.7600171.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:19.428975+01002057975ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)1192.168.2.7600171.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:19.669772+01002057945ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.7618331.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:19.669772+01002057983ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)1192.168.2.7618331.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:19.906169+01002057949ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.7522131.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:19.906169+01002057981ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)1192.168.2.7522131.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.123421+01002057929ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.7562171.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.123421+01002057979ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)1192.168.2.7562171.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.338320+01002057931ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.7495471.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.338320+01002057977ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)1192.168.2.7495471.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.566681+01002057925ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.7544221.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.566681+01002057973ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)1192.168.2.7544221.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.804369+01002057943ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)1192.168.2.7642761.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:20.804369+01002057971ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)1192.168.2.7642761.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:21.039707+01002057935ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)1192.168.2.7569121.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:21.039707+01002057969ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)1192.168.2.7569121.1.1.153UDP
                                                                                                                                                                                                                                                2024-12-18T12:42:23.274508+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74980323.55.153.106443TCP
                                                                                                                                                                                                                                                2024-12-18T12:42:24.067183+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.74980323.55.153.106443TCP
                                                                                                                                                                                                                                                2024-12-18T12:42:25.743411+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749812172.67.157.254443TCP
                                                                                                                                                                                                                                                2024-12-18T12:42:26.550676+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749812172.67.157.254443TCP
                                                                                                                                                                                                                                                2024-12-18T12:42:26.550676+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749812172.67.157.254443TCP
                                                                                                                                                                                                                                                2024-12-18T12:42:27.328996+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749818172.67.157.254443TCP

                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.442981958 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.443028927 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.443154097 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.867121935 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.867161989 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.274432898 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.274507999 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.277910948 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.277921915 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.278445005 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.328784943 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.402107954 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:23.447330952 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067215919 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067254066 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067275047 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067281961 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067291975 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067328930 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067342997 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067358017 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.067384005 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.251418114 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.251462936 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.251522064 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.251535892 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.251580954 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.282643080 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.282684088 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.282752037 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.282757998 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.282808065 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.284904003 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.284925938 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.284935951 CET49803443192.168.2.723.55.153.106
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.284945011 CET4434980323.55.153.106192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.527812004 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.527861118 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.527941942 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.528372049 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.528383970 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.743268967 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.743411064 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.745181084 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.745191097 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.745518923 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.746906042 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.746931076 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:25.746989965 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.550694942 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.550808907 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.550880909 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.609246969 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.609282017 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.609301090 CET49812443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.609311104 CET44349812172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.700205088 CET49818443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.700258017 CET44349818172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.700319052 CET49818443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.700659990 CET49818443192.168.2.7172.67.157.254
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:26.700674057 CET44349818172.67.157.254192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:27.328995943 CET49818443192.168.2.7172.67.157.254

                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.428975105 CET6001753192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.659269094 CET53600171.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.669771910 CET6183353192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.902348995 CET53618331.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.906168938 CET5221353192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.119478941 CET53522131.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.123420954 CET5621753192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.336042881 CET53562171.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.338320017 CET4954753192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.563527107 CET53495471.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.566680908 CET5442253192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.796161890 CET53544221.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.804368973 CET6427653192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.036007881 CET53642761.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.039706945 CET5691253192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.280718088 CET53569121.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.284678936 CET5327953192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.422137976 CET53532791.1.1.1192.168.2.7
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.295784950 CET5062253192.168.2.71.1.1.1
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.526597977 CET53506221.1.1.1192.168.2.7

                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.428975105 CET192.168.2.71.1.1.10x52cfStandard query (0)dare-curbys.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.669771910 CET192.168.2.71.1.1.10x182eStandard query (0)se-blurry.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.906168938 CET192.168.2.71.1.1.10xf498Standard query (0)zinc-sneark.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.123420954 CET192.168.2.71.1.1.10x7b46Standard query (0)dwell-exclaim.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.338320017 CET192.168.2.71.1.1.10xb3c5Standard query (0)formy-spill.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.566680908 CET192.168.2.71.1.1.10x2a9fStandard query (0)covery-mover.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.804368973 CET192.168.2.71.1.1.10xd84Standard query (0)print-vexer.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.039706945 CET192.168.2.71.1.1.10x13a3Standard query (0)impend-differ.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.284678936 CET192.168.2.71.1.1.10xa775Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.295784950 CET192.168.2.71.1.1.10xd650Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                Dec 18, 2024 12:41:35.402585030 CET1.1.1.1192.168.2.70x4b3dNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:41:35.402585030 CET1.1.1.1192.168.2.70x4b3dNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.659269094 CET1.1.1.1192.168.2.70x52cfName error (3)dare-curbys.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:19.902348995 CET1.1.1.1192.168.2.70x182eName error (3)se-blurry.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.119478941 CET1.1.1.1192.168.2.70xf498Name error (3)zinc-sneark.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.336042881 CET1.1.1.1192.168.2.70x7b46Name error (3)dwell-exclaim.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.563527107 CET1.1.1.1192.168.2.70xb3c5Name error (3)formy-spill.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:20.796161890 CET1.1.1.1192.168.2.70x2a9fName error (3)covery-mover.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.036007881 CET1.1.1.1192.168.2.70xd84Name error (3)print-vexer.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.280718088 CET1.1.1.1192.168.2.70x13a3Name error (3)impend-differ.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:21.422137976 CET1.1.1.1192.168.2.70xa775No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.526597977 CET1.1.1.1192.168.2.70xd650No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Dec 18, 2024 12:42:24.526597977 CET1.1.1.1192.168.2.70xd650No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                • steamcommunity.com
                                                                                                                                                                                                                                                • lev-tolstoi.com

                                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                0192.168.2.74980323.55.153.1064437628C:\Users\user\Desktop\v_dolg.exe
                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                2024-12-18 11:42:23 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                Host: steamcommunity.com
                                                                                                                                                                                                                                                2024-12-18 11:42:24 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                Date: Wed, 18 Dec 2024 11:42:23 GMT
                                                                                                                                                                                                                                                Content-Length: 35121
                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                Set-Cookie: sessionid=740ec1569cb3c9fe2d825efd; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                2024-12-18 11:42:24 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                2024-12-18 11:42:24 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                2024-12-18 11:42:24 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                1192.168.2.749812172.67.157.2544437628C:\Users\user\Desktop\v_dolg.exe
                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                2024-12-18 11:42:25 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                2024-12-18 11:42:25 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                                                                                                2024-12-18 11:42:26 UTC1040INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                Date: Wed, 18 Dec 2024 11:42:26 GMT
                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=btfu3tl4614gdk97j3fad53brk; expires=Sun, 13-Apr-2025 05:29:05 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VvsMc16m%2BfFjiNr3LynJEWvbFDleM%2FIw4q4O9U7xLg5r%2BCSNGklDmkyQi0CZapPaSP5rh1%2By0yx3GjTHhbUHPxMSehplGfJ2p9bcWOW%2B%2BiRP0W7rP3EiOfZKbQWZQfoI3Vw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                CF-RAY: 8f3ee3b49b7ac47a-EWR
                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1508&min_rtt=1499&rtt_var=580&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1858688&cwnd=244&unsent_bytes=0&cid=f5b578e14fd65fac&ts=818&x=0"
                                                                                                                                                                                                                                                2024-12-18 11:42:26 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                                                                                                                2024-12-18 11:42:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                                Start time:06:41:37
                                                                                                                                                                                                                                                Start date:18/12/2024
                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\v_dolg.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\v_dolg.exe"
                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                File size:3'794'944 bytes
                                                                                                                                                                                                                                                MD5 hash:378706614B22957208E09FC84FCEECE8
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                No disassembly