Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1637463
MD5:	2002fdf412315d31fcdf5b6acbcaa53c
SHA1:	c3d77ad74a3c01eba18fd19eda94789cdd7b9cb1
SHA256:	b7bec68290b285cdcec37f9558f1488c36e971aded4b995b3a45a40ddcaf00dc
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	72
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1724 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2002FDF412315D31FCDF5B6ACBCAA53C)

conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2002FDF412315D31FCDF5B6ACBCAA53C)

WerFault.exe (PID: 1976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 396 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T16:52:49.962257+0100	2028371	3	Unknown Traffic	192.168.2.9	49683	188.114.97.3	443	TCP
2025-03-13T16:52:56.516356+0100	2028371	3	Unknown Traffic	192.168.2.9	49691	104.21.16.1	443	TCP
2025-03-13T16:53:04.899043+0100	2028371	3	Unknown Traffic	192.168.2.9	49695	188.114.97.3	443	TCP
2025-03-13T16:53:08.228392+0100	2028371	3	Unknown Traffic	192.168.2.9	49698	188.114.97.3	443	TCP
2025-03-13T16:53:13.948541+0100	2028371	3	Unknown Traffic	192.168.2.9	49705	104.21.16.1	443	TCP
2025-03-13T16:53:19.826092+0100	2028371	3	Unknown Traffic	192.168.2.9	49709	104.21.16.1	443	TCP
2025-03-13T16:53:25.731376+0100	2028371	3	Unknown Traffic	192.168.2.9	49712	104.21.48.1	443	TCP
2025-03-13T16:53:30.303363+0100	2028371	3	Unknown Traffic	192.168.2.9	49715	104.73.234.102	443	TCP
2025-03-13T16:53:33.191985+0100	2028371	3	Unknown Traffic	192.168.2.9	58769	104.73.234.102	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 70%			Perma Link
Source: file.exe	ReversingLabs: Detection: 76%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1078266054.00000000027FF000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1078266054.00000000027FF000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1078266054.00000000027FF000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1078266054.00000000027FF000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1078266054.00000000027FF000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1078266054.00000000027FF000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1078266054.00000000027FF000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.9:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.9:58769 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0107FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0107FD8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0107FCDE FindFirstFileExW,	0_2_0107FCDE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0107FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0107FD8F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0107FCDE FindFirstFileExW,	2_2_0107FCDE

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh	2_2_0044A106
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3E8E80E8h]	2_2_0044D300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], bx	2_2_0044D300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	2_2_0044D7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+18h]	2_2_0040EFAE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edi], cx	2_2_00429840
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [00451018h]	2_2_0040F066
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402800
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	2_2_0041C833
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	2_2_004480C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h	2_2_00421890
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-4926828Eh]	2_2_00421890
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00410897
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	2_2_00410897
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	2_2_00413143
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	2_2_0044D950
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0D0EF488h]	2_2_0042D92B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	2_2_004019E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-51AE6CD0h]	2_2_0044AA55
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 8B8A8924h	2_2_0043F250
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+19DCC0F6h]	2_2_00445250
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+edi+00h]	2_2_00445250
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], dl	2_2_00423A70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00423A70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], C446A772h	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h]	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-49268212h]	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	2_2_00448220
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_004292C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6BB1A2B4h]	2_2_004482E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	2_2_00412AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea ecx, dword ptr [eax-40000000h]	2_2_00412AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea edx, dword ptr [ecx+ecx]	2_2_00412AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]	2_2_00433A88
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044C2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	2_2_00449B7F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	2_2_0041C833
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+44h]	2_2_00444300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]	2_2_00433A88
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h]	2_2_00433330
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00436BE5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	2_2_0044C3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	2_2_0044C3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, ebx	2_2_0044C3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+68h]	2_2_00437BB8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], dl	2_2_00411C5F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_00435C60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+08h], ebx	2_2_00445C70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00410C1B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	2_2_00410C1B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+5Ch]	2_2_0042F430
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00441480
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+49408C66h]	2_2_00428CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0044BD46
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_0041EDDC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6D3F2F7Eh]	2_2_00420D90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	2_2_00448590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h]	2_2_004305B2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041AE40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00438E42
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+10h], ecx	2_2_00438E42
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, di	2_2_0042FE40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1272D010h]	2_2_0042FE40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, esi	2_2_00437627
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx+00h]	2_2_0040CE30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+esi]	2_2_0040CE30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+10h], ecx	2_2_00438E39
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+0Ah]	2_2_00445ED1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	2_2_00445ED1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	2_2_004236EB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_004386EC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00432F60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx]	2_2_00432F60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00432F60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	2_2_0041AF00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4926828Ah]	2_2_0041AF00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A92C912h]	2_2_0040C710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Ah]	2_2_0044C7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	2_2_00412FDB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	2_2_00446790
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_0041EFAD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00433FB0

Source: global traffic

TCP traffic: 192.168.2.9:58768 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49683 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49691 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:58769 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49712 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49695 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49709 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49715 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49698 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49705 -> 104.21.16.1:443

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=Nonesessionid=58b4bafbedb91d2ef4c08271; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26244Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 15:53:33 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlJJ equals www.youtube.com (Youtube)
Source: file.exe, 00000002.00000003.1456025007.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=Nonesessionid=ac77c0ab410d8b3730e05350; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26244Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 15:53:30 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control>{ equals www.youtube.com (Youtube)
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: jowinjoinery.icu
Source: global traffic	DNS traffic detected: DNS query: featureccus.shop
Source: global traffic	DNS traffic detected: DNS query: mrodularmall.top
Source: global traffic	DNS traffic detected: DNS query: legenassedk.top
Source: global traffic	DNS traffic detected: DNS query: htardwarehu.icu
Source: global traffic	DNS traffic detected: DNS query: cjlaspcorne.icu
Source: global traffic	DNS traffic detected: DNS query: bugildbett.top
Source: global traffic	DNS traffic detected: DNS query: latchclan.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: file.exe, 00000002.00000003.1486101744.0000000001867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486557901.0000000001867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=jfdbROVe
Source: file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=39xC
Source: file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-z
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000002.00000002.1486750951.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com//
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000002.00000003.1456088914.000000000187C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486582922.000000000187C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: file.exe, 00000002.00000002.1486582922.000000000187C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128K
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000002.00000002.1486750951.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456025007.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000002.00000002.1486750951.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456025007.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.9:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.9:58769 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043F410

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043F410

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0043FC48 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0043FC48

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100553B	0_2_0100553B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01046460	0_2_01046460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01044CB0	0_2_01044CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01021F50	0_2_01021F50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01030110	0_2_01030110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01054110	0_2_01054110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01038130	0_2_01038130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01019150	0_2_01019150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01037170	0_2_01037170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101F190	0_2_0101F190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010101A0	0_2_010101A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010041D0	0_2_010041D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010641D0	0_2_010641D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01001000	0_2_01001000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01056010	0_2_01056010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102E020	0_2_0102E020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100E030	0_2_0100E030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106A030	0_2_0106A030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105C050	0_2_0105C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103D070	0_2_0103D070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105D070	0_2_0105D070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01046090	0_2_01046090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010150E0	0_2_010150E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010200E0	0_2_010200E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101A0F0	0_2_0101A0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010590F0	0_2_010590F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105E0F0	0_2_0105E0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106B0F0	0_2_0106B0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100A300	0_2_0100A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01008310	0_2_01008310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101B310	0_2_0101B310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01027320	0_2_01027320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01041320	0_2_01041320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102D330	0_2_0102D330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01063330	0_2_01063330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104A350	0_2_0104A350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01050350	0_2_01050350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105C350	0_2_0105C350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01029360	0_2_01029360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101E3A0	0_2_0101E3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010353A0	0_2_010353A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105D3B0	0_2_0105D3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010493D0	0_2_010493D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010693E0	0_2_010693E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102A3F0	0_2_0102A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01023200	0_2_01023200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01062210	0_2_01062210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01078230	0_2_01078230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01040240	0_2_01040240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100D250	0_2_0100D250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01025290	0_2_01025290
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010182B0	0_2_010182B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010612B0	0_2_010612B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010722CA	0_2_010722CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010072E0	0_2_010072E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01013510	0_2_01013510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01016530	0_2_01016530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01023530	0_2_01023530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105F530	0_2_0105F530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103B560	0_2_0103B560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01059576	0_2_01059576
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01085592	0_2_01085592
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103C5A0	0_2_0103C5A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010255C0	0_2_010255C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103F5D0	0_2_0103F5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010695D0	0_2_010695D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102B5F0	0_2_0102B5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101D410	0_2_0101D410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01036410	0_2_01036410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01068420	0_2_01068420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01010430	0_2_01010430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01014430	0_2_01014430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01053430	0_2_01053430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01012450	0_2_01012450
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01025450	0_2_01025450
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102E490	0_2_0102E490
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010584C0	0_2_010584C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106A4C0	0_2_0106A4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100A700	0_2_0100A700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01055700	0_2_01055700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01083718	0_2_01083718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01009718	0_2_01009718
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01019740	0_2_01019740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100D7F0	0_2_0100D7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010507F0	0_2_010507F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C610	0_2_0100C610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01010620	0_2_01010620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01057630	0_2_01057630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01061630	0_2_01061630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01064640	0_2_01064640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01049650	0_2_01049650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01041660	0_2_01041660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105A660	0_2_0105A660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100E690	0_2_0100E690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01055690	0_2_01055690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010176C0	0_2_010176C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102C6D0	0_2_0102C6D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103D6E0	0_2_0103D6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010386E0	0_2_010386E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100B6F0	0_2_0100B6F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010266F0	0_2_010266F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101E900	0_2_0101E900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01038900	0_2_01038900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100C906	0_2_0100C906
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106D90A	0_2_0106D90A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01056920	0_2_01056920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01016940	0_2_01016940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100B960	0_2_0100B960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105D980	0_2_0105D980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01008990	0_2_01008990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010189A0	0_2_010189A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103E9C0	0_2_0103E9C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01062800	0_2_01062800
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101D810	0_2_0101D810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103A810	0_2_0103A810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01013840	0_2_01013840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01005856	0_2_01005856
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101F860	0_2_0101F860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103C870	0_2_0103C870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010298A0	0_2_010298A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010478A0	0_2_010478A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010228C0	0_2_010228C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01007B00	0_2_01007B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100CB0F	0_2_0100CB0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104EB40	0_2_0104EB40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01017B50	0_2_01017B50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101DB80	0_2_0101DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01010B90	0_2_01010B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01011BA0	0_2_01011BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01057BB0	0_2_01057BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102ABF0	0_2_0102ABF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103ABF0	0_2_0103ABF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01051A00	0_2_01051A00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01063A20	0_2_01063A20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102DA30	0_2_0102DA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102CA30	0_2_0102CA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105BA40	0_2_0105BA40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01033A50	0_2_01033A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01048A70	0_2_01048A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01023A90	0_2_01023A90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01017AA0	0_2_01017AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01038AA0	0_2_01038AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01067AB0	0_2_01067AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01009AF6	0_2_01009AF6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01029D00	0_2_01029D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105FD00	0_2_0105FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103FD20	0_2_0103FD20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01009D30	0_2_01009D30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01063D60	0_2_01063D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01022D80	0_2_01022D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103DD80	0_2_0103DD80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01008DD0	0_2_01008DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01037DD0	0_2_01037DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103DDD9	0_2_0103DDD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01010DE0	0_2_01010DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01047DF0	0_2_01047DF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01005DF6	0_2_01005DF6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01022C00	0_2_01022C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01061C00	0_2_01061C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01014C10	0_2_01014C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101EC70	0_2_0101EC70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01033C70	0_2_01033C70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100BF10	0_2_0100BF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01022F10	0_2_01022F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105EF10	0_2_0105EF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01013F20	0_2_01013F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01046F90	0_2_01046F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105FF90	0_2_0105FF90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01026FC0	0_2_01026FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01052FC0	0_2_01052FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01020E10	0_2_01020E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01067E10	0_2_01067E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102FE20	0_2_0102FE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100DE60	0_2_0100DE60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01042E80	0_2_01042E80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105AE80	0_2_0105AE80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01043EA0	0_2_01043EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01025EB0	0_2_01025EB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103AEC0	0_2_0103AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104AEE0	0_2_0104AEE0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040BA50	2_2_0040BA50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040E6D0	2_2_0040E6D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040EFAE	2_2_0040EFAE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041F065	2_2_0041F065
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00417870	2_2_00417870
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041C833	2_2_0041C833
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00427830	2_2_00427830
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00445830	2_2_00445830
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00449832	2_2_00449832
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004380C8	2_2_004380C8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004110F9	2_2_004110F9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00421890	2_2_00421890
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004378B8	2_2_004378B8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040D940	2_2_0040D940
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00402140	2_2_00402140
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00426150	2_2_00426150
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00451150	2_2_00451150
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00439160	2_2_00439160
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00442168	2_2_00442168
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040B970	2_2_0040B970
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00451170	2_2_00451170
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00424900	2_2_00424900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042D92B	2_2_0042D92B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0045113C	2_2_0045113C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F9C0	2_2_0040F9C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004139D0	2_2_004139D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043B9F9	2_2_0043B9F9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00412185	2_2_00412185
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00445250	2_2_00445250
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00429A70	2_2_00429A70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042020C	2_2_0042020C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00426A15	2_2_00426A15
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041E21B	2_2_0041E21B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004292C0	2_2_004292C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044CAE0	2_2_0044CAE0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00412AF8	2_2_00412AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00408A80	2_2_00408A80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B280	2_2_0044B280
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00431290	2_2_00431290
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00445AA0	2_2_00445AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004512AC	2_2_004512AC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004252B0	2_2_004252B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00402B50	2_2_00402B50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041C833	2_2_0041C833
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00444300	2_2_00444300
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040A320	2_2_0040A320
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040C320	2_2_0040C320
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00416B81	2_2_00416B81
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B380	2_2_0044B380
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042CBA0	2_2_0042CBA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004283A0	2_2_004283A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044C3A0	2_2_0044C3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00411C5F	2_2_00411C5F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042D460	2_2_0042D460
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00432407	2_2_00432407
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043F410	2_2_0043F410
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042F430	2_2_0042F430
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043DC31	2_2_0043DC31
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004384C3	2_2_004384C3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041BCC0	2_2_0041BCC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040D4D0	2_2_0040D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004434DF	2_2_004434DF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041DCDF	2_2_0041DCDF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B4F0	2_2_0044B4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00410483	2_2_00410483
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042F489	2_2_0042F489
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00424C90	2_2_00424C90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044BCB6	2_2_0044BCB6
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409540	2_2_00409540
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00443540	2_2_00443540
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043155F	2_2_0043155F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00403560	2_2_00403560
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00425560	2_2_00425560
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00413D09	2_2_00413D09
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040AD20	2_2_0040AD20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043B536	2_2_0043B536
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041EDDC	2_2_0041EDDC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00447DF0	2_2_00447DF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B580	2_2_0044B580
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00420D90	2_2_00420D90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00407DA0	2_2_00407DA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004305B2	2_2_004305B2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042FE40	2_2_0042FE40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00433640	2_2_00433640
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00448650	2_2_00448650
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043C610	2_2_0043C610
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044CE10	2_2_0044CE10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00437627	2_2_00437627
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B622	2_2_0044B622
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040CE30	2_2_0040CE30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00444ED0	2_2_00444ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00445ED1	2_2_00445ED1
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004326E0	2_2_004326E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004386EC	2_2_004386EC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00415EF9	2_2_00415EF9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00430E93	2_2_00430E93
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00410EAB	2_2_00410EAB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00403F00	2_2_00403F00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043E703	2_2_0043E703
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041AF00	2_2_0041AF00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040C710	2_2_0040C710
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00436729	2_2_00436729
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042D730	2_2_0042D730
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00408FC0	2_2_00408FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044C7D0	2_2_0044C7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004047E2	2_2_004047E2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004437A0	2_2_004437A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101E900	2_2_0101E900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01038900	2_2_01038900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0106D90A	2_2_0106D90A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01030110	2_2_01030110
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01054110	2_2_01054110
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01056920	2_2_01056920
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01038130	2_2_01038130
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01016940	2_2_01016940
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01019150	2_2_01019150
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100B960	2_2_0100B960
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01037170	2_2_01037170
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01008990	2_2_01008990
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101F190	2_2_0101F190
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010101A0	2_2_010101A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010189A0	2_2_010189A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103E9C0	2_2_0103E9C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010041D0	2_2_010041D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010641D0	2_2_010641D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100D1E0	2_2_0100D1E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01001000	2_2_01001000
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01062800	2_2_01062800
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101D810	2_2_0101D810
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103A810	2_2_0103A810
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01056010	2_2_01056010
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0102E020	2_2_0102E020
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100E030	2_2_0100E030
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01013840	2_2_01013840
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101F860	2_2_0101F860
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103C870	2_2_0103C870
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103D070	2_2_0103D070
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100C890	2_2_0100C890
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01046090	2_2_01046090
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010298A0	2_2_010298A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010478A0	2_2_010478A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010598B0	2_2_010598B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010228C0	2_2_010228C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010150E0	2_2_010150E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010200E0	2_2_010200E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101A0F0	2_2_0101A0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010590F0	2_2_010590F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0106B0F0	2_2_0106B0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100A300	2_2_0100A300
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01007B00	2_2_01007B00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0104130F	2_2_0104130F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01008310	2_2_01008310
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101B310	2_2_0101B310
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01027320	2_2_01027320
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01041320	2_2_01041320
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0104EB40	2_2_0104EB40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01017B50	2_2_01017B50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0104A350	2_2_0104A350
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01050350	2_2_01050350
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01029360	2_2_01029360
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101DB80	2_2_0101DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01010B90	2_2_01010B90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01011BA0	2_2_01011BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101E3A0	2_2_0101E3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010353A0	2_2_010353A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01057BB0	2_2_01057BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010493D0	2_2_010493D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010693E0	2_2_010693E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0102ABF0	2_2_0102ABF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103ABF0	2_2_0103ABF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01023200	2_2_01023200
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01051A00	2_2_01051A00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01062210	2_2_01062210
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01063A20	2_2_01063A20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01078230	2_2_01078230
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01007240	2_2_01007240
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01033A50	2_2_01033A50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01048A70	2_2_01048A70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01023A90	2_2_01023A90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01025290	2_2_01025290
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01017AA0	2_2_01017AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01038AA0	2_2_01038AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010182B0	2_2_010182B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010612B0	2_2_010612B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01067AB0	2_2_01067AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010722CA	2_2_010722CA
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010322F0	2_2_010322F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01029D00	2_2_01029D00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0105FD00	2_2_0105FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01059500	2_2_01059500
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01013510	2_2_01013510
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103FD20	2_2_0103FD20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01009D30	2_2_01009D30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01016530	2_2_01016530
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01023530	2_2_01023530
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100CD50	2_2_0100CD50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103B560	2_2_0103B560
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01063D60	2_2_01063D60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01022D80	2_2_01022D80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103DD80	2_2_0103DD80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01085592	2_2_01085592
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103C5A0	2_2_0103C5A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010255C0	2_2_010255C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01008DD0	2_2_01008DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103F5D0	2_2_0103F5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01037DD0	2_2_01037DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103DDD9	2_2_0103DDD9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01010DE0	2_2_01010DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0102B5F0	2_2_0102B5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01047DF0	2_2_01047DF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01022C00	2_2_01022C00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01061C00	2_2_01061C00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01014C10	2_2_01014C10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101D410	2_2_0101D410
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01033410	2_2_01033410
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01014430	2_2_01014430
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01010430	2_2_01010430
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01053430	2_2_01053430
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01012450	2_2_01012450
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01025450	2_2_01025450
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01046460	2_2_01046460
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0101EC70	2_2_0101EC70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01033C70	2_2_01033C70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01044CB0	2_2_01044CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0105BCC0	2_2_0105BCC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010584C0	2_2_010584C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0106A4C0	2_2_0106A4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010054D0	2_2_010054D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100A700	2_2_0100A700
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100BF10	2_2_0100BF10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01083718	2_2_01083718
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01022F10	2_2_01022F10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01013F20	2_2_01013F20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01019740	2_2_01019740
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01021F50	2_2_01021F50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01046F90	2_2_01046F90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0105FF90	2_2_0105FF90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01026FC0	2_2_01026FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01052FC0	2_2_01052FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010027E0	2_2_010027E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010507F0	2_2_010507F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100C610	2_2_0100C610
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01020E10	2_2_01020E10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01067E10	2_2_01067E10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01010620	2_2_01010620
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0102FE20	2_2_0102FE20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01064640	2_2_01064640
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01049650	2_2_01049650
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100DE60	2_2_0100DE60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01069E60	2_2_01069E60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01042E80	2_2_01042E80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01009690	2_2_01009690
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100E690	2_2_0100E690
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01055690	2_2_01055690
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01043EA0	2_2_01043EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010016B0	2_2_010016B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01025EB0	2_2_01025EB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010176C0	2_2_010176C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103AEC0	2_2_0103AEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0103D6E0	2_2_0103D6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010386E0	2_2_010386E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0104AEE0	2_2_0104AEE0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0100B6F0	2_2_0100B6F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010266F0	2_2_010266F0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041AEF0 appears 102 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0107AE24 appears 34 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0107607C appears 44 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040B350 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0106DE10 appears 96 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 396

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003231990014265
Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003231990014265

Source: classification engine

Classification label: mal72.evad.winEXE@5/6@9/4

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00439160 CoCreateInstance,

2_2_00439160

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1724

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f6eb8c98-4677-4c49-a50d-6d45f1279ee8

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Virustotal: Detection: 70%
Source: file.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 396
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1366528 > 1048576

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106DFCA push ecx; ret	0_2_0106DFDD
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044F360 push ecx; ret	2_2_0044F400
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044F338 push ecx; ret	2_2_0044F400
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044F3D8 push ecx; ret	2_2_0044F400
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004513DA push edx; retf	2_2_004513FE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004554C9 push 00000000h; iretd	2_2_00455520
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00451648 pushad ; retf	2_2_00451689
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00455676 push 00000000h; iretd	2_2_004556EC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00455766 push 00000000h; ret	2_2_00455770
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004517FC push ebx; ret	2_2_00451803
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010404DD push ebx; iretd	2_2_010404E3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_010404F7 push ebx; iretd	2_2_010404F9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0102A775 push es; iretd	2_2_0102A776
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0106DFCA push ecx; ret	2_2_0106DFDD

Source: file.exe

Static PE information: section name: .text entropy: 7.09207256696417

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0107FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0107FD8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0107FCDE FindFirstFileExW,	0_2_0107FCDE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0107FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0107FD8F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0107FCDE FindFirstFileExW,	2_2_0107FCDE

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000002.00000002.1486634082.000000000188D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1486013210.000000000188B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.0000000001889000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485772806.0000000001889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, 00000002.00000003.1485946074.0000000001861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486557901.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,

0_2_0100553B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01075DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01075DCE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010961B4 mov edi, dword ptr fs:[00000030h]

0_2_010961B4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0107B71C GetProcessHeap,

0_2_0107B71C

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0106D8E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01075DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01075DCE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106DC92 SetUnhandledExceptionFilter,	0_2_0106DC92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0106DC9E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0106D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0106D8E2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01075DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_01075DCE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0106DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0106DC9E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010961B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_010961B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0107B007
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0107F048
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0107F334
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0107F299
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0107F587
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0107F706
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0107F7AD
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0107F6BB
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0107F8B3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0107AB0C
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_0107B007
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0107F048
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_0107F8B3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_0107AB0C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0107F334
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_0107F299
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_0107F587
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_0107F5E6
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_0107F706
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0107F7AD
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_0107F6BB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0106E6D7

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	71%	Virustotal		Browse
file.exe	76%	ReversingLabs	Win32.Trojan.LummaC
file.exe	100%	Avira	TR/Crypt.Agent.wdlug

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.73.234.102	true	false	high
jowinjoinery.icu	188.114.97.3	true	false	high
legenassedk.top	188.114.97.3	true	false	high
htardwarehu.icu	104.21.16.1	true	false	high
bugildbett.top	104.21.48.1	true	false	high
mrodularmall.top	104.21.16.1	true	false	high
cjlaspcorne.icu	104.21.16.1	true	false	high
latchclan.shop	unknown	unknown	false	high
featureccus.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199822375128	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com//	file.exe, 00000002.00000002.1486750951.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamloopback.host	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=39xC	file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128	file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a	file.exe, 00000002.00000003.1486101744.0000000001867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486557901.0000000001867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.5.dr	false	high
https://store.steampowered.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-z	file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1486774598.0000000001917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=jfdbROVe	file.exe, 00000002.00000003.1485772806.000000000186B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456088914.000000000186B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/76561199822375128K	file.exe, 00000002.00000002.1486582922.000000000187C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou	file.exe, 00000002.00000002.1486750951.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456025007.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	file.exe, 00000002.00000002.1486750951.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456025007.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1456217630.00000000018C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485732575.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485918028.00000000018C6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	file.exe, 00000002.00000003.1485680113.0000000001907000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001906000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1455985521.0000000001901000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1485680113.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	bugildbett.top	United States	13335	CLOUDFLARENETUS	false
104.21.16.1	htardwarehu.icu	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	jowinjoinery.icu	European Union	13335	CLOUDFLARENETUS	false
104.73.234.102	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637463
Start date and time:	2025-03-13 16:51:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@5/6@9/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 18 Number of non-executed functions: 141
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.159.130, 172.202.163.200, 23.60.203.209
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:52:52	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	345623.bat	Get hash	malicious	DBatLoader, FormBook	Browse	www.shlomi.app/9rzh/
	ySUB97Jq80.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.shlomi.app/9rzh/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/
	6nA8ZygZLP.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/
	Bill_of_Lading_20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	http://microsoft-sharepoint4543464633.pages.dev/index-2jc93/	Get hash	malicious	HTMLPhisher	Browse	microsoft-sharepoint4543464633.pages.dev/index-2jc93/
104.21.16.1	https://t.co/6BJID9q49h	Get hash	malicious	HTMLPhisher	Browse	tcerfw.wittnng.sbs/favicon.ico
	J8bamK92a3.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
	0t7MXNEfCg.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bugildbett.top	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	nvtoaldlrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	awkthjjawdtrh.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.96.1
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	noypjksdaw.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	x1D44JHWDf.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
htardwarehu.icu	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	nvtoaldlrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	nyojpsdfkawed.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.16.1
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	noypjksdaw.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	x1D44JHWDf.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
steamcommunity.com	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	nvtoaldlrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	script5.ps1	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	https://stearncommmunity.com/profiles/52829086342741	Get hash	malicious	Unknown	Browse	23.197.127.21
	https://sceanmcommnunmnlty.com/xroea/spwoe/zxiwe	Get hash	malicious	Unknown	Browse	104.73.234.102
	https://sceanmcommnunmnlty.com/sotep/aofpe/zoepr	Get hash	malicious	Unknown	Browse	104.73.234.102
	http://gift50steam.com/50	Get hash	malicious	Unknown	Browse	104.73.234.102
jowinjoinery.icu	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	nvtoaldlrg.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	kmtsefjtjha.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	CheatInjector.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	188.114.97.3
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	noypjksdaw.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
legenassedk.top	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	nvtoaldlrg.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	188.114.97.3
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	noypjksdaw.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	x1D44JHWDf.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SecuriteInfo.com.Win32.MalwareX-gen.1567.5483.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Fallen Miner, Xmrig	Browse	104.20.3.235
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	https://ctrk.klclick3.com/l/01JP5VPSP6JS7E5VAEC1KGWEB7_2	Get hash	malicious	Unknown	Browse	104.17.93.1
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Fallen Miner, Xmrig	Browse	104.20.3.235
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	https://ctrk.klclick3.com/l/01JP5VPSP6JS7E5VAEC1KGWEB7_2	Get hash	malicious	Unknown	Browse	104.17.93.1
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Fallen Miner, Xmrig	Browse	104.20.3.235
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	https://ctrk.klclick3.com/l/01JP5VPSP6JS7E5VAEC1KGWEB7_2	Get hash	malicious	Unknown	Browse	104.17.93.1
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	http://app.plangrid.com/projects/bcb97291-5564-5612-9970-d1b139dcb62d/staple/b1fc2804-67d4-470e-9780-d2d4344b3b93	Get hash	malicious	Unknown	Browse	23.192.228.80
	Peo Retention Memo Reff No2.pdf	Get hash	malicious	Unknown	Browse	23.217.172.185
	nvtoaldlrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	7ZSfxMod_x86.exe	Get hash	malicious	Gamaredon, UltraVNC	Browse	2.19.105.127
	http://observalgerie.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.57.19.78
	https://scuddlecakevgzg.cfd/d7p96s	Get hash	malicious	Unknown	Browse	2.19.105.89
	New_Voicemail_Peterborough_.html	Get hash	malicious	HTMLPhisher	Browse	92.123.12.9

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	file.exe	Get hash	malicious	Unknown	Browse	104.73.234.102
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_98c4a92854e2a1a38fffa83e38a1ed277eca37f_cdb25171_240634a8-a421-4982-bd05-4a145b9cf6d3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7119144436143482
Encrypted:	false
SSDEEP:	192:ggRoHfIvnP20BU/Huiu3j/+zuiFTZ24IO8kFuB5:06nFBU/AjmzuiFTY4IO8V5
MD5:	0B72B31D83791878A21BBE834D56D2CC
SHA1:	AFAF7F57E695958077D434BF20A2186C082D451C
SHA-256:	26E949F75EE14978C81825D259D42E081486C7180BA82FAA546779C2051D7D9E
SHA-512:	B7F4B979B411935D071F889A915BD37113E60E185693A8F1EB94933F6ED477736D520EB88A388D9108FA37116042EA5629F95400A4BD31DC615A39348F19625A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.3.5.4.7.6.6.0.9.1.2.0.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.3.5.4.7.6.6.4.3.4.9.5.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.0.6.3.4.a.8.-.a.4.2.1.-.4.9.8.2.-.b.d.0.5.-.4.a.1.4.5.b.9.c.f.6.d.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.6.0.4.4.c.2.-.3.8.7.f.-.4.3.b.8.-.8.6.4.5.-.7.e.c.f.9.9.e.c.5.7.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.b.c.-.0.0.0.1.-.0.0.1.8.-.8.2.b.3.-.4.5.f.6.2.f.9.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.c.3.d.7.7.a.d.7.4.a.3.c.0.1.e.b.a.1.8.f.d.1.9.e.d.a.9.4.7.8.9.c.d.d.7.b.9.c.b.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.3././.1.1.:.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC74D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 13 15:52:46 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	37570
Entropy (8bit):	1.7238838020123641
Encrypted:	false
SSDEEP:	96:5L81YmB9yF1PcUwORYlN0tB7aVQoti7Olk3dVLqw8d8f4c8+8UbUjcHgUSgBjWI8:GumB9LO8E+2otO/4sXgl8iZWN35gRc
MD5:	CEBAB07D1F40A0F9666DF17B3D9D3476
SHA1:	66A5C4749B1B781E764E64C442F9199F1618B62B
SHA-256:	2DBC25334B2B6884286513F3178C36448D659F512B6D032645F0BCA6A2CE3D19
SHA-512:	C4E870DC484EBE94213128F73F7F4B725F659A8481B844C7AAF309DC58CB836A6AAE8CB5867AD7DE2849CFBD9157421ABAEF8B4ECEE5F3D1F6452BE1A3455277
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......N..g........................0...............Z...........T.......8...........T......................................................................................................................eJ......P.......GenuineIntel............T...........M..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7CB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8374
Entropy (8bit):	3.6958435949479402
Encrypted:	false
SSDEEP:	192:R6l7wVeJgC86BJ6YKWSU9/gmf6pAprp89bXKsf9dm:R6lXJM6/6YrSU9/gmfoTXpf2
MD5:	0D4B7825A41A5F46AF0DE55FFAB23711
SHA1:	3A47DE3516DADF44347D09D9BAD2B922ED687D65
SHA-256:	E2D39CB593266D1485D2A2C79ECD27DC67B6B658558E0BFF50A48459F5C20CFB
SHA-512:	D7280C1DB0CD77E87766A92BB55BB656A491CBCC0E921D0C808C48E7184409B428C5F60CF795F20D74ABBA6EA4FCF4A9B06318DC895A42EAE6B625338F88DE03
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7FB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.459627850945638
Encrypted:	false
SSDEEP:	48:cvIwWl8zsTJg77aI9xuWpW8VYpYm8M4JxAFe+q8va5B3P8hed:uIjftI7/P7VBJtKk3P8hed
MD5:	2EBA7ECF2E17AB44E07B422976C01F3D
SHA1:	9AA44E9F82F006C8F39FB351302AAA2E1E3BF389
SHA-256:	7589472B00EF03542DAEDFDD15C750D4BEA318F0F8D3CA5DAC63651C47D79FEA
SHA-512:	9E645317B57C03FA50B0087BA4888DFEFB343ABAD56709487EAE66B85476ECAE314AB128A1A0BCB32AB7615AF3D242121EA49BCA141A9F6ABC6BF8400C63D7A4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="759295" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.398368963140423
Encrypted:	false
SSDEEP:	6144:I/4fiJoH0ncNXiUjt10q7G/gaocYGBoAWQqZaK7FIeC/FacXF0YfY8ai:W4vF7MY6WQqYVtbV0cl
MD5:	04C563E9AE6C6A02CB1AD322658E70CB
SHA1:	F5A5273C363306B51623B83945030549856325A3
SHA-256:	16F8B6693F0C83DD4558DEA85AB1ED727B76ED2CF2556F1D016EB8C61D7A2806
SHA-512:	651B0C5E08EE3D8F255F7858DB00E23717C9E18F25C487E72CFB5C8EF5FE4C92A80FAFFEE4B175D3696372B30D731F1F09AD192B1D3CB9B71F3B1444655B92BD
Malicious:	false
Reputation:	low
Preview:	regfJ...J....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....f...............................................................................................................................................................................................................................................................................................................................................6..9........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7478159923512644
Encrypted:	false
SSDEEP:	768:likDoy6VGYxDkwRxibaNWG0b8AmpsI8Ng1+:li+Y6wC7U
MD5:	BC2AC5B156F709C588205EFE89BB7BEA
SHA1:	7D3D2E09A441FBCDEF88016EBEE9D562B69372BD
SHA-256:	F83CEB256A0C065AF16CC63D580529E9DD2459A285611B23B268C8F8EA509504
SHA-512:	BF1E5A9BAB4D955B42BCC01C6D1A7C3C93E17962FBC9A866E1094B7B50B98A64E3490FDE94AA39D0A710AFE9C6DEB6DEC9A06EB29C00C35AA7975BF38C4B55BA
Malicious:	false
Reputation:	low
Preview:	regfI...I....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....f...............................................................................................................................................................................................................................................................................................................................................0..9HvLE.n......I....`.......L9....$...............`............... .......@... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........G...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.6890402913200955
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'366'528 bytes
MD5:	2002fdf412315d31fcdf5b6acbcaa53c
SHA1:	c3d77ad74a3c01eba18fd19eda94789cdd7b9cb1
SHA256:	b7bec68290b285cdcec37f9558f1488c36e971aded4b995b3a45a40ddcaf00dc
SHA512:	197d3a32a63a1305a58f7e69764279c10807f904f6aca8125112c73908f65ba14db5e59969c664b7fede30d008bdbb8d0327462d6717fed908befef31397ad4c
SSDEEP:	24576:uAi/c6dNtEWZ4B+UsxoxbzmXDpssjHdm+IFPJRpssjHdm+IFPJ:I0qNtnKB+UsxoxbzY9Tg+Ij7Tg+Ij
TLSH:	6255E07270C1C073FA4199B23598E3B5446BF672DA2D4BC7E2B4E739914CAD017AA12F
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........................................@.......................................@.................................06..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46e682
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D09BB6 [Tue Mar 11 20:23:18 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d462aa757f68629e41b3df6e6d4c6a3c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F285852195Ah
jmp 00007F28585217C9h
mov ecx, dword ptr [00496840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F2858521956h
test esi, ecx
jne 00007F2858521978h
call 00007F2858521981h
mov ecx, eax
cmp ecx, edi
jne 00007F2858521959h
mov ecx, BB40E64Fh
jmp 00007F2858521960h
test esi, ecx
jne 00007F285852195Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00496840h], ecx
not ecx
pop edi
mov dword ptr [00496880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00493864h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00493824h]
xor dword ptr [ebp-04h], eax
call dword ptr [00493820h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004938ACh]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00498490h
call dword ptr [00493884h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F28585284A5h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93630	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x99e00	0x4540
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0x435c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8fb28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8bf98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x937c0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89ad0	0x89c00	0bd698a1f44cc91b018d0fe5240109ab	False	0.5286942774500908	data	7.09207256696417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0xa034	0xa200	383899a836f6650ba73e1556e24d0e62	False	0.4230806327160494	data	4.888147649186249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x96000	0x2c5c	0x1600	233e04c81724f6e0f553a5dbb15f0a09	False	0.4073153409090909	data	4.744840434225013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x99000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x9a000	0x435c	0x4400	b181df1a2af7bbd01ea74e454a21e7ba	False	0.7916475183823529	data	6.714823432652306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x9f000	0x57a00	0x57a00	213a7fc720e85a1f68023cf4639ddd38	False	1.0003231990014265	OpenPGP Public Key	7.999497235233785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xf7000	0x57a00	0x57a00	213a7fc720e85a1f68023cf4639ddd38	False	1.0003231990014265	OpenPGP Public Key	7.999497235233785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ole32.dll

OleDraw

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T16:52:49.962257+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49683	188.114.97.3	443	TCP
2025-03-13T16:52:56.516356+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49691	104.21.16.1	443	TCP
2025-03-13T16:53:04.899043+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49695	188.114.97.3	443	TCP
2025-03-13T16:53:08.228392+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49698	188.114.97.3	443	TCP
2025-03-13T16:53:13.948541+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49705	104.21.16.1	443	TCP
2025-03-13T16:53:19.826092+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49709	104.21.16.1	443	TCP
2025-03-13T16:53:25.731376+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49712	104.21.48.1	443	TCP
2025-03-13T16:53:30.303363+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49715	104.73.234.102	443	TCP
2025-03-13T16:53:33.191985+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	58769	104.73.234.102	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 16:52:46.753336906 CET	49683	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:46.753444910 CET	443	49683	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:46.753566027 CET	49683	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:46.757061005 CET	49683	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:46.757096052 CET	443	49683	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:49.960704088 CET	443	49683	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:49.962256908 CET	49683	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:49.962368011 CET	443	49683	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:49.962444067 CET	49683	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:49.962682962 CET	49685	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:49.962728024 CET	443	49685	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:49.962814093 CET	49685	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:49.963552952 CET	49685	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:49.963567019 CET	443	49685	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:52.858917952 CET	443	49685	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:52.859234095 CET	49685	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:52.859355927 CET	443	49685	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:52.859421968 CET	49685	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:52.859611034 CET	49690	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:52.859654903 CET	443	49690	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:52.859720945 CET	49690	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:52.861553907 CET	49690	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:52.861584902 CET	443	49690	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:52.861649036 CET	49690	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:53.259941101 CET	49691	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:53.259990931 CET	443	49691	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:53.260106087 CET	49691	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:53.260422945 CET	49691	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:53.260437012 CET	443	49691	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:56.515903950 CET	443	49691	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:56.516355991 CET	49691	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:56.516467094 CET	443	49691	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:56.516525984 CET	49691	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:56.516813040 CET	49692	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:56.516912937 CET	443	49692	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:56.517007113 CET	49692	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:56.517333984 CET	49692	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:56.517369032 CET	443	49692	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:59.251265049 CET	443	49692	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:59.251693964 CET	49692	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:59.251837969 CET	443	49692	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:59.251900911 CET	49692	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:59.252022028 CET	49693	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:59.252140045 CET	443	49693	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:59.252235889 CET	49693	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:59.252401114 CET	49693	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:59.252445936 CET	443	49693	104.21.16.1	192.168.2.9
Mar 13, 2025 16:52:59.252506018 CET	49693	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:52:59.253313065 CET	49694	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:59.253353119 CET	443	49694	188.114.97.3	192.168.2.9
Mar 13, 2025 16:52:59.253441095 CET	49694	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:59.253617048 CET	49694	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:52:59.253628969 CET	443	49694	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:01.959321976 CET	443	49694	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:01.966676950 CET	49694	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:01.966794014 CET	443	49694	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:01.966840982 CET	49694	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:01.967211008 CET	49695	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:01.967251062 CET	443	49695	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:01.967339993 CET	49695	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:01.967611074 CET	49695	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:01.967627048 CET	443	49695	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:04.898552895 CET	443	49695	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:04.899043083 CET	49695	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:04.899161100 CET	443	49695	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:04.899204969 CET	49695	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:04.899543047 CET	49697	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:04.899593115 CET	443	49697	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:04.899688959 CET	49697	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:04.899857998 CET	49697	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:04.899880886 CET	443	49697	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:04.900010109 CET	49697	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:05.185508966 CET	49698	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:05.185549974 CET	443	49698	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:05.185662031 CET	49698	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:05.186249018 CET	49698	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:05.186258078 CET	443	49698	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:08.200253963 CET	443	49698	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:08.228391886 CET	49698	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:08.228574991 CET	443	49698	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:08.228632927 CET	49698	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:08.228838921 CET	49701	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:08.228885889 CET	443	49701	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:08.228956938 CET	49701	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:08.229959011 CET	49701	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:08.229971886 CET	443	49701	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:11.120203018 CET	443	49701	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:11.120852947 CET	49701	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:11.120986938 CET	443	49701	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:11.121037006 CET	49701	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:11.121615887 CET	49704	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:11.121665001 CET	443	49704	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:11.121740103 CET	49704	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:11.122226954 CET	49704	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:11.122258902 CET	443	49704	188.114.97.3	192.168.2.9
Mar 13, 2025 16:53:11.122298956 CET	49704	443	192.168.2.9	188.114.97.3
Mar 13, 2025 16:53:11.141133070 CET	49705	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:11.141176939 CET	443	49705	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:11.141258001 CET	49705	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:11.141839027 CET	49705	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:11.141851902 CET	443	49705	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:13.947854996 CET	443	49705	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:13.948540926 CET	49705	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:13.948647976 CET	443	49705	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:13.948959112 CET	49705	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:13.949039936 CET	49707	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:13.949079037 CET	443	49707	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:13.949158907 CET	49707	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:13.949903965 CET	49707	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:13.949917078 CET	443	49707	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:16.922426939 CET	443	49707	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:16.938023090 CET	49707	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.938148975 CET	443	49707	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:16.938193083 CET	49707	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.938821077 CET	49708	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.938873053 CET	443	49708	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:16.938936949 CET	49708	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.940026999 CET	49708	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.940062046 CET	443	49708	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:16.940108061 CET	49708	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.955208063 CET	49709	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.955250978 CET	443	49709	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:16.955327034 CET	49709	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.955907106 CET	49709	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:16.955920935 CET	443	49709	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:19.825675011 CET	443	49709	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:19.826092005 CET	49709	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:19.826214075 CET	443	49709	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:19.826277971 CET	49709	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:19.826442957 CET	49710	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:19.826482058 CET	443	49710	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:19.826551914 CET	49710	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:19.827016115 CET	49710	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:19.827028990 CET	443	49710	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:22.563188076 CET	443	49710	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:22.563791037 CET	49710	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:22.563914061 CET	443	49710	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:22.563978910 CET	49710	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:22.564313889 CET	49711	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:22.564367056 CET	443	49711	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:22.564439058 CET	49711	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:22.564641953 CET	49711	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:22.564666986 CET	443	49711	104.21.16.1	192.168.2.9
Mar 13, 2025 16:53:22.564712048 CET	49711	443	192.168.2.9	104.21.16.1
Mar 13, 2025 16:53:22.791938066 CET	49712	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:22.791986942 CET	443	49712	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:22.792077065 CET	49712	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:22.792422056 CET	49712	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:22.792434931 CET	443	49712	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:25.730885983 CET	443	49712	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:25.731375933 CET	49712	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:25.731482983 CET	443	49712	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:25.731540918 CET	49712	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:25.731831074 CET	49713	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:25.731873035 CET	443	49713	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:25.731946945 CET	49713	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:25.732253075 CET	49713	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:25.732260942 CET	443	49713	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:28.618899107 CET	443	49713	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:28.619270086 CET	49713	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:28.619390011 CET	443	49713	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:28.619434118 CET	49713	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:28.619704008 CET	49714	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:28.619741917 CET	443	49714	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:28.619811058 CET	49714	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:28.620006084 CET	49714	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:28.620033026 CET	443	49714	104.21.48.1	192.168.2.9
Mar 13, 2025 16:53:28.620076895 CET	49714	443	192.168.2.9	104.21.48.1
Mar 13, 2025 16:53:28.642657042 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:28.642699003 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:28.642772913 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:28.643085003 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:28.643100977 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:30.303141117 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:30.303363085 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:30.305226088 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:30.305249929 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:30.305507898 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:30.347883940 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:30.352649927 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:30.400325060 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.199753046 CET	58768	53	192.168.2.9	162.159.36.2
Mar 13, 2025 16:53:31.204504013 CET	53	58768	162.159.36.2	192.168.2.9
Mar 13, 2025 16:53:31.204670906 CET	58768	53	192.168.2.9	162.159.36.2
Mar 13, 2025 16:53:31.209533930 CET	53	58768	162.159.36.2	192.168.2.9
Mar 13, 2025 16:53:31.279743910 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.279776096 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.279808998 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.279828072 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.279835939 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.279853106 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.279865026 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.280030012 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.280030012 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.373927116 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.373967886 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.374016047 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.374031067 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.374044895 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.374063015 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.374085903 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.376995087 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.377007961 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.377021074 CET	49715	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.377026081 CET	443	49715	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.406604052 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.406639099 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.406719923 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.407023907 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:31.407041073 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:31.672276020 CET	58768	53	192.168.2.9	162.159.36.2
Mar 13, 2025 16:53:31.677294970 CET	53	58768	162.159.36.2	192.168.2.9
Mar 13, 2025 16:53:31.677356005 CET	58768	53	192.168.2.9	162.159.36.2
Mar 13, 2025 16:53:33.191878080 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:33.191984892 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:33.193547010 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:33.193559885 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:33.193792105 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:33.195167065 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:33.236337900 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.237696886 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.237735033 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.237751007 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.237813950 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:34.237833023 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.237862110 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:34.237881899 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:34.346735954 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.346774101 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.346829891 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.346846104 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:34.346908092 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:34.347085953 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:34.347103119 CET	443	58769	104.73.234.102	192.168.2.9
Mar 13, 2025 16:53:34.347115993 CET	58769	443	192.168.2.9	104.73.234.102
Mar 13, 2025 16:53:34.347121000 CET	443	58769	104.73.234.102	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 16:52:46.723850012 CET	51744	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:52:46.748297930 CET	53	51744	1.1.1.1	192.168.2.9
Mar 13, 2025 16:52:52.862991095 CET	55227	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:52:52.876185894 CET	53	55227	1.1.1.1	192.168.2.9
Mar 13, 2025 16:52:52.877351999 CET	65072	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:52:53.258778095 CET	53	65072	1.1.1.1	192.168.2.9
Mar 13, 2025 16:53:04.901196003 CET	52366	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:53:05.183891058 CET	53	52366	1.1.1.1	192.168.2.9
Mar 13, 2025 16:53:11.124541044 CET	63172	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:53:11.139928102 CET	53	63172	1.1.1.1	192.168.2.9
Mar 13, 2025 16:53:16.941571951 CET	62408	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:53:16.953943968 CET	53	62408	1.1.1.1	192.168.2.9
Mar 13, 2025 16:53:22.566086054 CET	51387	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:53:22.790900946 CET	53	51387	1.1.1.1	192.168.2.9
Mar 13, 2025 16:53:28.621151924 CET	53113	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:53:28.633876085 CET	53	53113	1.1.1.1	192.168.2.9
Mar 13, 2025 16:53:28.635436058 CET	62482	53	192.168.2.9	1.1.1.1
Mar 13, 2025 16:53:28.641997099 CET	53	62482	1.1.1.1	192.168.2.9
Mar 13, 2025 16:53:31.198827028 CET	53	51859	162.159.36.2	192.168.2.9
Mar 13, 2025 16:53:31.710246086 CET	53	55218	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 16:52:46.723850012 CET	192.168.2.9	1.1.1.1	0x73ae	Standard query (0)	jowinjoinery.icu	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:52.862991095 CET	192.168.2.9	1.1.1.1	0xf9b4	Standard query (0)	featureccus.shop	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:52.877351999 CET	192.168.2.9	1.1.1.1	0xf269	Standard query (0)	mrodularmall.top	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:04.901196003 CET	192.168.2.9	1.1.1.1	0x61a1	Standard query (0)	legenassedk.top	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.124541044 CET	192.168.2.9	1.1.1.1	0xd5dd	Standard query (0)	htardwarehu.icu	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.941571951 CET	192.168.2.9	1.1.1.1	0x6b1e	Standard query (0)	cjlaspcorne.icu	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.566086054 CET	192.168.2.9	1.1.1.1	0xfcbf	Standard query (0)	bugildbett.top	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:28.621151924 CET	192.168.2.9	1.1.1.1	0x376b	Standard query (0)	latchclan.shop	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:28.635436058 CET	192.168.2.9	1.1.1.1	0x73d4	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 16:52:46.748297930 CET	1.1.1.1	192.168.2.9	0x73ae	No error (0)	jowinjoinery.icu		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:46.748297930 CET	1.1.1.1	192.168.2.9	0x73ae	No error (0)	jowinjoinery.icu		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:52.876185894 CET	1.1.1.1	192.168.2.9	0xf9b4	Name error (3)	featureccus.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:53.258778095 CET	1.1.1.1	192.168.2.9	0xf269	No error (0)	mrodularmall.top		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:53.258778095 CET	1.1.1.1	192.168.2.9	0xf269	No error (0)	mrodularmall.top		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:53.258778095 CET	1.1.1.1	192.168.2.9	0xf269	No error (0)	mrodularmall.top		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:53.258778095 CET	1.1.1.1	192.168.2.9	0xf269	No error (0)	mrodularmall.top		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:53.258778095 CET	1.1.1.1	192.168.2.9	0xf269	No error (0)	mrodularmall.top		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:53.258778095 CET	1.1.1.1	192.168.2.9	0xf269	No error (0)	mrodularmall.top		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:52:53.258778095 CET	1.1.1.1	192.168.2.9	0xf269	No error (0)	mrodularmall.top		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:05.183891058 CET	1.1.1.1	192.168.2.9	0x61a1	No error (0)	legenassedk.top		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:05.183891058 CET	1.1.1.1	192.168.2.9	0x61a1	No error (0)	legenassedk.top		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.139928102 CET	1.1.1.1	192.168.2.9	0xd5dd	No error (0)	htardwarehu.icu		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.139928102 CET	1.1.1.1	192.168.2.9	0xd5dd	No error (0)	htardwarehu.icu		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.139928102 CET	1.1.1.1	192.168.2.9	0xd5dd	No error (0)	htardwarehu.icu		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.139928102 CET	1.1.1.1	192.168.2.9	0xd5dd	No error (0)	htardwarehu.icu		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.139928102 CET	1.1.1.1	192.168.2.9	0xd5dd	No error (0)	htardwarehu.icu		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.139928102 CET	1.1.1.1	192.168.2.9	0xd5dd	No error (0)	htardwarehu.icu		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:11.139928102 CET	1.1.1.1	192.168.2.9	0xd5dd	No error (0)	htardwarehu.icu		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.953943968 CET	1.1.1.1	192.168.2.9	0x6b1e	No error (0)	cjlaspcorne.icu		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.953943968 CET	1.1.1.1	192.168.2.9	0x6b1e	No error (0)	cjlaspcorne.icu		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.953943968 CET	1.1.1.1	192.168.2.9	0x6b1e	No error (0)	cjlaspcorne.icu		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.953943968 CET	1.1.1.1	192.168.2.9	0x6b1e	No error (0)	cjlaspcorne.icu		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.953943968 CET	1.1.1.1	192.168.2.9	0x6b1e	No error (0)	cjlaspcorne.icu		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.953943968 CET	1.1.1.1	192.168.2.9	0x6b1e	No error (0)	cjlaspcorne.icu		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:16.953943968 CET	1.1.1.1	192.168.2.9	0x6b1e	No error (0)	cjlaspcorne.icu		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.790900946 CET	1.1.1.1	192.168.2.9	0xfcbf	No error (0)	bugildbett.top		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.790900946 CET	1.1.1.1	192.168.2.9	0xfcbf	No error (0)	bugildbett.top		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.790900946 CET	1.1.1.1	192.168.2.9	0xfcbf	No error (0)	bugildbett.top		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.790900946 CET	1.1.1.1	192.168.2.9	0xfcbf	No error (0)	bugildbett.top		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.790900946 CET	1.1.1.1	192.168.2.9	0xfcbf	No error (0)	bugildbett.top		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.790900946 CET	1.1.1.1	192.168.2.9	0xfcbf	No error (0)	bugildbett.top		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:22.790900946 CET	1.1.1.1	192.168.2.9	0xfcbf	No error (0)	bugildbett.top		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:28.633876085 CET	1.1.1.1	192.168.2.9	0x376b	Name error (3)	latchclan.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 13, 2025 16:53:28.641997099 CET	1.1.1.1	192.168.2.9	0x73d4	No error (0)	steamcommunity.com		104.73.234.102	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49715	104.73.234.102	443	6524	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 15:53:30 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-13 15:53:31 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 13 Mar 2025 15:53:30 GMT Content-Length: 26244 Connection: close Set-Cookie: sessionid=ac77c0ab410d8b3730e05350; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=None
2025-03-13 15:53:31 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-13 15:53:31 UTC	11822	IN	Data Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 73 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 73 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 ae 80 e4 bd 93 e4 b8 ad e6 96 87 20 28 53 69 6d 70 6c 69 66 69 65 64 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 Data Ascii: yle="display: none;"><div class="popup_body popup_menu"><a class="popup_menu_item tight" href="?l=schinese" onclick="ChangeLanguage( 'schinese' ); return false;"> (Simplified Chinese)</a>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	58769	104.73.234.102	443	6524	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 15:53:33 UTC	94	OUT	GET /profiles/76561199822375128 HTTP/1.1 Connection: Keep-Alive Host: steamcommunity.com
2025-03-13 15:53:34 UTC	1962	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 13 Mar 2025 15:53:33 GMT Content-Length: 26244 Connection: close Set-Cookie: sessionid=58b4bafbedb91d2ef4c08271; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=None
2025-03-13 15:53:34 UTC	14422	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21">
2025-03-13 15:53:34 UTC	11822	IN	Data Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 73 63 68 69 6e 65 73 65 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 73 63 68 69 6e 65 73 65 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e7 ae 80 e4 bd 93 e4 b8 ad e6 96 87 20 28 53 69 6d 70 6c 69 66 69 65 64 20 43 68 69 6e 65 73 65 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 Data Ascii: yle="display: none;"><div class="popup_body popup_menu"><a class="popup_menu_item tight" href="?l=schinese" onclick="ChangeLanguage( 'schinese' ); return false;"> (Simplified Chinese)</a>

Target ID:	0
Start time:	11:52:45
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1000000
File size:	1'366'528 bytes
MD5 hash:	2002FDF412315D31FCDF5B6ACBCAA53C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:52:45
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74be10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:52:45
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1000000
File size:	1'366'528 bytes
MD5 hash:	2002FDF412315D31FCDF5B6ACBCAA53C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:52:45
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 396
Imagebase:	0xe50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_98c4a92854e2a1a38fffa83e38a1ed277eca37f_cdb25171_240634a8-a421-4982-bd05-4a145b9cf6d3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC74D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7CB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7FB.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
file.exe