Edit tour

Windows Analysis Report
Owncloud.exe

Overview

General Information

Sample name:	Owncloud.exe
Analysis ID:	1637743
MD5:	96760a71cab0c762a3a67ed2d900cb32
SHA1:	b9692132238fefb211f69d0d57b7528e0e7bc1dc
SHA256:	9e6ce56a793d930a05fc51628f76bdb660ee61e3a4587ce33a2c4514b6ccc13f
Tags:	exeuser-N3utralZ0ne
Infos:

Detection

GO Backdoor, LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GO Backdoor

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found Tor onion address

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Owncloud.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\Owncloud.exe" MD5: 96760A71CAB0C762A3A67ED2D900CB32)

1NL2UUTXGRDJBOX6R5AY7089XD.exe (PID: 1080 cmdline: "C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe" MD5: 8BCD144423A25770C111195F74B1E7CB)

rareTemp.exe (PID: 5824 cmdline: "C:\Users\user\AppData\Local\Temp\rareTemp.exe" MD5: 8BCD144423A25770C111195F74B1E7CB)

rareTemp.exe (PID: 3388 cmdline: "C:\Users\user\AppData\Local\Temp\rareTemp.exe" MD5: 8BCD144423A25770C111195F74B1E7CB)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "http://193.187.172.163:30001/api"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3691391127.000000000BCC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3692047583.000000000BDC4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3692047583.000000000BD5A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3692993598.000000000C1FC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3692047583.000000000BE17000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000A.00000002.3691730893.000000000C52A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3692993598.000000000C1BE000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3690303975.000000000BC48000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3694363786.000000000BE80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3690308390.000000000C042000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3691409369.000000000C132000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3691409369.000000000C0F6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3690308390.000000000C058000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3690303975.000000000BC6B000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3691409369.000000000C13E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3692993598.000000000C1D4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000D.00000002.3690308390.000000000C078000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3692047583.000000000BDAC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000A.00000002.3691730893.000000000C542000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
Process Memory Space: Owncloud.exe PID: 7280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Owncloud.exe PID: 7280	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1NL2UUTXGRDJBOX6R5AY7089XD.exe PID: 1080	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
Process Memory Space: rareTemp.exe PID: 5824	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
Process Memory Space: rareTemp.exe PID: 3388	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\rareTemp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe, ProcessId: 1080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecAV

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\rareTemp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe, ProcessId: 1080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecAV

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T22:10:59.632279+0100	2028371	3	Unknown Traffic	192.168.2.6	49697	104.73.234.102	443	TCP
2025-03-13T22:11:02.066718+0100	2028371	3	Unknown Traffic	192.168.2.6	49699	188.114.96.3	443	TCP
2025-03-13T22:11:06.025777+0100	2028371	3	Unknown Traffic	192.168.2.6	49700	104.73.234.102	443	TCP
2025-03-13T22:11:08.577311+0100	2028371	3	Unknown Traffic	192.168.2.6	49702	188.114.96.3	443	TCP
2025-03-13T22:11:09.935701+0100	2028371	3	Unknown Traffic	192.168.2.6	49703	104.73.234.102	443	TCP
2025-03-13T22:11:11.422741+0100	2028371	3	Unknown Traffic	192.168.2.6	49704	104.73.234.102	443	TCP
2025-03-13T22:11:13.921364+0100	2028371	3	Unknown Traffic	192.168.2.6	49705	188.114.96.3	443	TCP
2025-03-13T22:11:17.665916+0100	2028371	3	Unknown Traffic	192.168.2.6	49706	104.73.234.102	443	TCP
2025-03-13T22:11:20.648839+0100	2028371	3	Unknown Traffic	192.168.2.6	49707	104.73.234.102	443	TCP
2025-03-13T22:11:23.689058+0100	2028371	3	Unknown Traffic	192.168.2.6	49708	188.114.96.3	443	TCP
2025-03-13T22:11:29.756147+0100	2028371	3	Unknown Traffic	192.168.2.6	49709	104.73.234.102	443	TCP
2025-03-13T22:11:32.174895+0100	2028371	3	Unknown Traffic	192.168.2.6	49711	188.114.96.3	443	TCP
2025-03-13T22:11:36.140362+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	104.73.234.102	443	TCP
2025-03-13T22:11:39.260127+0100	2028371	3	Unknown Traffic	192.168.2.6	49713	188.114.96.3	443	TCP
2025-03-13T22:11:41.920276+0100	2028371	3	Unknown Traffic	192.168.2.6	49714	23.197.127.21	443	TCP
2025-03-13T22:11:43.496226+0100	2028371	3	Unknown Traffic	192.168.2.6	49715	23.197.127.21	443	TCP
2025-03-13T22:11:45.862103+0100	2028371	3	Unknown Traffic	192.168.2.6	49716	188.114.96.3	443	TCP
2025-03-13T22:11:48.149181+0100	2028371	3	Unknown Traffic	192.168.2.6	49717	216.107.136.186	443	TCP

ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T22:12:28.235494+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49718	46.8.232.106	30001	TCP
2025-03-13T22:13:08.099788+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49720	46.8.232.106	30001	TCP
2025-03-13T22:13:08.859632+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49721	147.45.196.157	30001	TCP
2025-03-13T22:13:09.703334+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49722	193.187.172.163	30001	TCP
2025-03-13T22:13:10.787692+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49723	91.212.166.154	30001	TCP
2025-03-13T22:13:11.413800+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49724	91.212.166.155	30001	TCP
2025-03-13T22:13:16.046856+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49725	46.8.232.106	30001	TCP
2025-03-13T22:13:16.703636+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49726	147.45.196.157	30001	TCP
2025-03-13T22:13:17.375081+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49727	193.187.172.163	30001	TCP
2025-03-13T22:13:18.161255+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49728	91.212.166.154	30001	TCP
2025-03-13T22:13:18.856734+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49729	91.212.166.155	30001	TCP
2025-03-13T22:13:42.182087+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49730	46.8.232.106	30001	TCP
2025-03-13T22:13:42.862384+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49731	147.45.196.157	30001	TCP
2025-03-13T22:13:43.543346+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49732	193.187.172.163	30001	TCP
2025-03-13T22:13:44.492665+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49733	91.212.166.154	30001	TCP
2025-03-13T22:13:45.222847+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49734	91.212.166.155	30001	TCP
2025-03-13T22:13:50.035590+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49735	46.8.232.106	30001	TCP
2025-03-13T22:13:50.934587+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49736	147.45.196.157	30001	TCP
2025-03-13T22:13:51.737724+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49737	193.187.172.163	30001	TCP
2025-03-13T22:13:52.486077+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49738	91.212.166.154	30001	TCP
2025-03-13T22:13:53.205858+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49739	91.212.166.155	30001	TCP
2025-03-13T22:14:16.056633+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49740	46.8.232.106	30001	TCP
2025-03-13T22:14:16.924720+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49741	147.45.196.157	30001	TCP
2025-03-13T22:14:17.549506+0100	2855478	1	A Network Trojan was detected	192.168.2.6	49742	193.187.172.163	30001	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T22:12:29.450383+0100	2855536	1	A Network Trojan was detected	192.168.2.6	49719	195.200.31.22	11427	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T22:12:58.786512+0100	2855537	1	A Network Trojan was detected	192.168.2.6	49719	195.200.31.22	11427	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T22:12:58.959036+0100	2855538	1	A Network Trojan was detected	195.200.31.22	11427	192.168.2.6	49719	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T22:12:29.242152+0100	2855539	1	A Network Trojan was detected	195.200.31.22	11427	192.168.2.6	49719	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Owncloud.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://147.45.196.157:30001/api/helper-first-register	Avira URL Cloud: Label: malware
Source: http://147.45.196.157:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen2
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen2

Found malware configuration

Source: rareTemp.exe.5824.12.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": "http://193.187.172.163:30001/api"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: Owncloud.exe	Virustotal: Detection: 58%			Perma Link
Source: Owncloud.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Unpacked PE file: 10.2.1NL2UUTXGRDJBOX6R5AY7089XD.exe.3560000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Unpacked PE file: 13.2.rareTemp.exe.3040000.2.unpack

Source: Owncloud.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.107.136.186:443 -> 192.168.2.6:49717 version: TLS 1.2

Source: Owncloud.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 195.200.31.22:11427 -> 192.168.2.6:49719
Source: Network traffic	Suricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.6:49719 -> 195.200.31.22:11427
Source: Network traffic	Suricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.6:49719 -> 195.200.31.22:11427
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49718 -> 46.8.232.106:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49736 -> 147.45.196.157:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49721 -> 147.45.196.157:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49735 -> 46.8.232.106:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49731 -> 147.45.196.157:30001
Source: Network traffic	Suricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 195.200.31.22:11427 -> 192.168.2.6:49719
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49727 -> 193.187.172.163:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49738 -> 91.212.166.154:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49734 -> 91.212.166.155:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49724 -> 91.212.166.155:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49722 -> 193.187.172.163:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49740 -> 46.8.232.106:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49741 -> 147.45.196.157:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49728 -> 91.212.166.154:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49729 -> 91.212.166.155:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49720 -> 46.8.232.106:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49725 -> 46.8.232.106:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49739 -> 91.212.166.155:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49726 -> 147.45.196.157:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49723 -> 91.212.166.154:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49730 -> 46.8.232.106:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49737 -> 193.187.172.163:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49732 -> 193.187.172.163:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49742 -> 193.187.172.163:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.6:49733 -> 91.212.166.154:30001

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://193.187.172.163:30001/api

Found Tor onion address

Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3689732323.00000000039DD000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3689732323.00000000039DD000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3687826952.0000000000C11000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3687826952.0000000000C11000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000C.00000002.3687886807.00000000004B1000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000C.00000002.3687886807.00000000004B1000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000C.00000002.3689683190.000000000315D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000C.00000002.3689683190.000000000315D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000D.00000002.3687757201.00000000004B1000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000D.00000002.3687757201.00000000004B1000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000D.00000002.3689632664.00000000034BD000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: rareTemp.exe, 0000000D.00000002.3689632664.00000000034BD000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49742

Source: global traffic	TCP traffic: 192.168.2.6:49718 -> 46.8.232.106:30001
Source: global traffic	TCP traffic: 192.168.2.6:49719 -> 195.200.31.22:11427
Source: global traffic	TCP traffic: 192.168.2.6:49721 -> 147.45.196.157:30001
Source: global traffic	TCP traffic: 192.168.2.6:49722 -> 193.187.172.163:30001
Source: global traffic	TCP traffic: 192.168.2.6:49723 -> 91.212.166.154:30001
Source: global traffic	TCP traffic: 192.168.2.6:49724 -> 91.212.166.155:30001

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /Rainmeter.exe HTTP/1.1Connection: Keep-AliveHost: rtsfinancal.com

Source: Joe Sandbox View	IP Address: 46.8.232.106 46.8.232.106
Source: Joe Sandbox View	IP Address: 46.8.232.106 46.8.232.106
Source: Joe Sandbox View	IP Address: 147.45.196.157 147.45.196.157
Source: Joe Sandbox View	IP Address: 23.197.127.21 23.197.127.21

Source: Joe Sandbox View	ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View	ASN Name: KCOM-SPNService-ProviderNetworkex-MistralGB KCOM-SPNService-ProviderNetworkex-MistralGB

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49699 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49704 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49703 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49697 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49700 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49702 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49717 -> 216.107.136.186:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49706 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 104.73.234.102:443

Source: global traffic	HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 41Host: guntac.bet
Source: global traffic	HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IgUL3z5xRZ2rWjDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14894Host: guntac.bet
Source: global traffic	HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LF7YXk0m8FaY2rlhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15080Host: guntac.bet
Source: global traffic	HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VZ9T9p5dRp7FEGwZh4CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19952Host: guntac.bet
Source: global traffic	HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=sgY3Zq1D1F26ZDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2512Host: guntac.bet
Source: global traffic	HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=bM1cnzWC910hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589881Host: guntac.bet
Source: global traffic	HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: guntac.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 195.200.31.22
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.155
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.155
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.155
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.155
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.155
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.172.163
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.196.157
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /Rainmeter.exe HTTP/1.1Connection: Keep-AliveHost: rtsfinancal.com
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: POmm6bY3Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: lO5iOWmuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 147.45.196.157:30001User-Agent: Go-http-client/1.1X-Api-Key: 8hNLQRWEAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 193.187.172.163:30001User-Agent: Go-http-client/1.1X-Api-Key: UC8dXwnrAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.154:30001User-Agent: Go-http-client/1.1X-Api-Key: cGDHbNNyAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.155:30001User-Agent: Go-http-client/1.1X-Api-Key: Wa8tQVnTAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: poJhPG97Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 147.45.196.157:30001User-Agent: Go-http-client/1.1X-Api-Key: BipzROIHAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 193.187.172.163:30001User-Agent: Go-http-client/1.1X-Api-Key: 2AVUAmHbAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.154:30001User-Agent: Go-http-client/1.1X-Api-Key: dzE1jcY2Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.155:30001User-Agent: Go-http-client/1.1X-Api-Key: ZGcjfpiHAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: qJVnK8kWAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 147.45.196.157:30001User-Agent: Go-http-client/1.1X-Api-Key: 6cJLZ3C9Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 193.187.172.163:30001User-Agent: Go-http-client/1.1X-Api-Key: 9ksj7nTpAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.154:30001User-Agent: Go-http-client/1.1X-Api-Key: JFFrIMIEAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.155:30001User-Agent: Go-http-client/1.1X-Api-Key: ox48QZ8qAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: WIA6OyDUAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 147.45.196.157:30001User-Agent: Go-http-client/1.1X-Api-Key: 7MyefCiLAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 193.187.172.163:30001User-Agent: Go-http-client/1.1X-Api-Key: 9aj1BrBuAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.154:30001User-Agent: Go-http-client/1.1X-Api-Key: vupGYDrGAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 91.212.166.155:30001User-Agent: Go-http-client/1.1X-Api-Key: pYIICXCNAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: 9dG6RhvqAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 147.45.196.157:30001User-Agent: Go-http-client/1.1X-Api-Key: UwdPPzVHAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb HTTP/1.1Host: 193.187.172.163:30001User-Agent: Go-http-client/1.1X-Api-Key: S2SBdY2EAccept-Encoding: gzip

Source: Owncloud.exe	String found in binary or memory: //recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://sto equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.2147057840.0000000000F33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1891457419.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com hQ equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5891e5319d50b06925c1aedd4927e3d8; path=/; secure; HttpOnly; SameSite=Nonesessionid=250421c0d32d61ea822cb50d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36122Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 21:11:11 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5891e5319d50b06925c1aedd4927e3d8; path=/; secure; HttpOnly; SameSite=Nonesessionid=4915af191082db2881cbc522; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36122Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 21:11:21 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control* equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.2066638137.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5891e5319d50b06925c1aedd4927e3d8; path=/; secure; HttpOnly; SameSite=Nonesessionid=722f63267dad916458809254; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36122Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 21:11:30 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlI equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.2178719247.0000000000F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5891e5319d50b06925c1aedd4927e3d8; path=/; secure; HttpOnly; SameSite=Nonesessionid=a4bf8714d60799c116f83890; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36122Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 21:11:44 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5891e5319d50b06925c1aedd4927e3d8; path=/; secure; HttpOnly; SameSite=Nonesessionid=d30a4a6bfb51de06979d87f5; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36122Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 21:11:36 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1803691751.00000000033C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5891e5319d50b06925c1aedd4927e3d8; path=/; secure; HttpOnly; SameSite=Nonesessionid=df8f95d4a7fc289a23b95285; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36122Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 21:11:06 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1891457419.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com hQ equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Owncloud.exe	String found in binary or memory: ed.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame- equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.ne& equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1891457419.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: jq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.1891457419.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: jq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C5891e5319d50b06925c1aedd4927e3d8; path=/; secure; HttpOnly; SameSite=Nonesessionid=250421c0d32d61ea822cb50d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36122Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 21:11:11 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Owncloud.exe	String found in binary or memory: maized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com htt equals www.youtube.com (Youtube)
Source: Owncloud.exe, 00000000.00000003.2147057840.0000000000F33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ttps://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: begindecafer.world
Source: global traffic	DNS traffic detected: DNS query: garagedrootz.top
Source: global traffic	DNS traffic detected: DNS query: modelshiverd.icu
Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: catterjur.run
Source: global traffic	DNS traffic detected: DNS query: orangemyther.live
Source: global traffic	DNS traffic detected: DNS query: fostinjec.today
Source: global traffic	DNS traffic detected: DNS query: sterpickced.digital
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: guntac.bet
Source: global traffic	DNS traffic detected: DNS query: rtsfinancal.com

Source: unknown

HTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 41Host: guntac.bet

Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0DA000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:30001
Source: rareTemp.exe, 0000000D.00000002.3691409369.000000000C0E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:30001/api/helper-first-register
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDBE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C086000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:30001/api/helper-first-register?
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDBE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C086000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BDFE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0E6000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C1B2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:30001/api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:300016cJLZ3C98bcd144423a25770c111195f74b1e7cb8bcd144423a25770c111195f74b1e7cbM
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:300017MyefCiLHTTP/1.1
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:300018hNLQRWEHTTP/1.1
Source: rareTemp.exe, 0000000D.00000002.3691409369.000000000C0DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.196.157:30001BipzROIHHTTP/1.1
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243:30001/api/helper-first-register
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:30001
Source: rareTemp.exe, 0000000D.00000002.3691409369.000000000C0E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:30001/api/helper-first-register
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:30001/api/helper-first-register2025/03/13
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDBE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:30001/api/helper-first-register?
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDBE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C1B2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:30001/api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a2577
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:300012AVUAmHbHTTP/1.1
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:300019aj1BrBuHTTP/1.1
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.187.172.163:30001UC8dXwnrHTTP/1.1
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C45E000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3690303975.000000000BC12000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0DA000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001
Source: rareTemp.exe, 0000000D.00000002.3691409369.000000000C0E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C40E000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3690303975.000000000BC10000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDBE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C086000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C40E000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3690303975.000000000BC10000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDBE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C086000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3691730893.000000000C530000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3690303975.000000000BC64000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDF0000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD68000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C1E4000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c1
Source: rareTemp.exe, 0000000C.00000002.3690303975.000000000BC12000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:300019dG6Rhvq
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C45E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001POmm6bY3REQUEST_METHOD
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001WIA6OyDUHTTP/1.1
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001lO5iOWmuREQUEST_METHODHTTP/1.1
Source: rareTemp.exe, 0000000D.00000002.3691409369.000000000C0DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001poJhPG97REQUEST_METHODHTTP/1.1
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001qJVnK8kWHTTP/1.1
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001
Source: rareTemp.exe, 0000000D.00000002.3691409369.000000000C0E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001/api/helper-first-register
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001/api/helper-first-register?
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD4A000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C1B2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001/api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001JFFrIMIEHTTP/1.1
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001cGDHbNNyHTTP/1.1
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001dzE1jcY2HTTP/1.1
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.154:30001vupGYDrGHTTP/1.1
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3690308390.000000000C012000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BDE8000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDC4000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD5A000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD66000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD1E000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3690303975.000000000BC52000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDDC000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BDEA000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0C0000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C1D6000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0F6000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C1E2000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C1D4000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0FE000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0B6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001/api/helper-first-register
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3690308390.000000000C010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001/api/helper-first-register?
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD0C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C180000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3690308390.000000000C010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD4A000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3690308390.000000000C06A000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C1B2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001/api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001Wa8tQVnTHTTP/1.1
Source: rareTemp.exe, 0000000D.00000002.3692993598.000000000C18C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001ZGcjfpiH2025/03/13
Source: rareTemp.exe, 0000000C.00000002.3692047583.000000000BD06000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001ox48QZ8qr
Source: rareTemp.exe, 0000000D.00000002.3690308390.000000000C012000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.155:30001pYIICXCN
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C406000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91:30001/api/helper-first-register
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.9:30001/api/helper-first-register
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rareTemp.exe, 0000000C.00000002.3691391127.000000000BCB6000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD8C000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3690303975.000000000BC0A000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD00000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3692993598.000000000C194000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0F4000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3690308390.000000000C00A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://proxyUsernameproxyUsernameM3DnCdHPproxyPasswordehN72P79buildVersionbuildVersion=HTTP/1.1
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3690469593.000000000C458000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000C.00000002.3692047583.000000000BD00000.00000004.00001000.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3691409369.000000000C0F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://proxyUsernameproxyUsernameM3DnCdHPproxyPasswordehN72P79buildVersionbuildVersion=HTTP/1.1X-Api
Source: Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Owncloud.exe, 00000000.00000003.1892475815.00000000033D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Owncloud.exe	String found in binary or memory: https://community.cloud
Source: Owncloud.exe	String found in binary or memory: https://community.cloudf
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.stea
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.steamsta
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.steamstati
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/
Source: Owncloud.exe, 00000000.00000003.1857142847.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=V4P4q3q732
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=N4H9vOOxi8kG&l=english&am
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
Source: Owncloud.exe, 00000000.00000003.1857142847.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Owncloud.exe, 00000000.00000003.1857142847.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: Owncloud.exe, 00000000.00000003.1857142847.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=jfdb
Source: Owncloud.exe, 00000000.00000003.1857142847.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=D1VziU1eIKI3&l=englis
Source: Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js
Source: Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
Source: Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
Source: Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCf
Source: Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.00000000033B5000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
Source: Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
Source: Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=whw8EcafG167&a
Source: Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=whw8EcafG167&amp
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/share
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
Source: Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
Source: Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=sd6kCnGQW5Ji&
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
Source: Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=oQ1d_VAfa_o
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: Owncloud.exe	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/to
Source: Owncloud.exe, 00000000.00000003.1857222583.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094106919.00000000036D8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178508057.00000000036D2000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986673263.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Owncloud.exe, 00000000.00000003.1891457419.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1986361054.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892185832.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1993135111.00000000033BC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1827761033.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/
Source: Owncloud.exe, 00000000.00000003.1891457419.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892185832.00000000033BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/;h
Source: Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/R
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1892407236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1827831919.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147057840.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2147057840.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178719247.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992771088.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066638137.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094209809.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/bSHsyZD
Source: Owncloud.exe, 00000000.00000003.1892407236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1827831919.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/bSHsyZDIdefB6
Source: Owncloud.exe, 00000000.00000003.1993383159.0000000003370000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/bSHsyZDb
Source: Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/f
Source: Owncloud.exe, 00000000.00000003.1827761033.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet/oh0
Source: Owncloud.exe	String found in binary or memory: https://guntac.bet:443/bSHsyZD
Source: Owncloud.exe, 00000000.00000003.1827796950.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet:443/bSHsyZDocal
Source: Owncloud.exe, 00000000.00000003.2094209809.00000000033AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://guntac.bet:443/bSHsyZDprofiles/76561199822375128ta
Source: Owncloud.exe	String found in binary or memory: https://help.steampowe
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.ne&
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Owncloud.exe	String found in binary or memory: https://steambroadcastchat.ak
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Owncloud.exe, 00000000.00000003.1892407236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094209809.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/4ZL
Source: Owncloud.exe	String found in binary or memory: https://steamcommunity.com/?subse
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/AAAA
Source: Owncloud.exe, 00000000.00000003.1857238975.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/ID
Source: Owncloud.exe, 00000000.00000003.2147057840.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066638137.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992771088.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178719247.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/b
Source: Owncloud.exe, 00000000.00000003.1857238975.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/dY
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Owncloud.exe, 00000000.00000003.2178608348.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094209809.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/lY
Source: Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Owncloud.exe, 00000000.00000003.2125492699.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.1892407236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094209809.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: Owncloud.exe, 00000000.00000003.1857142847.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: Owncloud.exe, 00000000.00000003.2094209809.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128:
Source: Owncloud.exe, 00000000.00000003.2125426270.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/ted
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Owncloud.exe, 00000000.00000003.1987907162.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: Owncloud.exe, 00000000.00000003.1827796950.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128a
Source: Owncloud.exe, 00000000.00000003.2178608348.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2094209809.00000000033AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128ta
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: Owncloud.exe	String found in binary or memory: https://store.stea
Source: Owncloud.exe, 00000000.00000003.2125492699.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992832043.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.000000000338A000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2146971013.000000000338B000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steam
Source: Owncloud.exe	String found in binary or memory: https://store.steampower
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Owncloud.exe, 00000000.00000003.2147057840.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Owncloud.exe, 00000000.00000003.2147057840.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178719247.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1891457419.00000000033B6000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066638137.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1803691751.00000000033C4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857191440.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Owncloud.exe, 00000000.00000003.2125426270.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857208843.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1804818287.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125426270.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1984851452.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178379976.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147117951.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178608348.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066801389.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992867027.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066879357.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1987907162.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178702759.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066572302.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1892407236.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2125492699.000000000336F000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Owncloud.exe, 00000000.00000003.1893936228.00000000039EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Owncloud.exe, 00000000.00000003.1893936228.00000000039EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Owncloud.exe, 00000000.00000003.1777260249.00000000036D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Owncloud.exe, 00000000.00000003.1893885097.00000000036E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: Owncloud.exe, 00000000.00000003.1893936228.00000000039EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Owncloud.exe, 00000000.00000003.1893936228.00000000039EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Owncloud.exe, 00000000.00000003.1893936228.00000000039EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Owncloud.exe, 00000000.00000003.2125426270.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178848571.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1857142847.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178590633.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1802918399.00000000033D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Owncloud.exe, 00000000.00000003.2178848571.0000000003702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.107.136.186:443 -> 192.168.2.6:49717 version: TLS 1.2

Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F52DE5	0_3_00F52DE5
Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F52E37	0_3_00F52E37
Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F52E06	0_3_00F52E06

Source: Owncloud.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@13/10

Source: C:\Users\user\Desktop\Owncloud.exe

File created: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe

Jump to behavior

Source: Owncloud.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Owncloud.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Owncloud.exe, 00000000.00000003.1776699500.00000000036C5000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1828150580.00000000033CE000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1828272728.00000000036D5000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1777185611.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1776816322.00000000033C9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Owncloud.exe	Virustotal: Detection: 58%
Source: Owncloud.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\Owncloud.exe

File read: C:\Users\user\Desktop\Owncloud.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Owncloud.exe "C:\Users\user\Desktop\Owncloud.exe"
Source: C:\Users\user\Desktop\Owncloud.exe	Process created: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe "C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\rareTemp.exe "C:\Users\user\AppData\Local\Temp\rareTemp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\rareTemp.exe "C:\Users\user\AppData\Local\Temp\rareTemp.exe"
Source: C:\Users\user\Desktop\Owncloud.exe	Process created: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe "C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ????? .dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Section loaded: main.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: main.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: main.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Section loaded: mswsock.dll	Jump to behavior

Source: Owncloud.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Owncloud.exe

Static file information: File size 6947840 > 1048576

Source: Owncloud.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x637e00

Source: Owncloud.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Owncloud.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Unpacked PE file: 10.2.1NL2UUTXGRDJBOX6R5AY7089XD.exe.3560000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Unpacked PE file: 13.2.rareTemp.exe.3040000.2.unpack

Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F393F5 push ebx; ret	0_3_00F3941D
Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F2D869 push ebx; ret	0_3_00F2D891
Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F2B16C push ds; ret	0_3_00F2B16F
Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F528D4 push esi; retf	0_3_00F528D7
Source: C:\Users\user\Desktop\Owncloud.exe	Code function: 0_3_00F5324C push esi; retf	0_3_00F5324F

Source: C:\Users\user\Desktop\Owncloud.exe	File created: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	File created: C:\Users\user\AppData\Local\Temp\rareTemp.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SecAV			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SecAV			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49742

Source: C:\Users\user\Desktop\Owncloud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1NL2UUTXGRDJBOX6R5AY7089XD.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Owncloud.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Owncloud.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Owncloud.exe TID: 8024

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Owncloud.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Owncloud.exe, Owncloud.exe, 00000000.00000003.2147057840.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066638137.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.1992771088.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2178719247.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828395402.00000000033D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 1NL2UUTXGRDJBOX6R5AY7089XD.exe, 0000000A.00000002.3689068896.000000000187E000.00000004.00000020.00020000.00000000.sdmp, rareTemp.exe, 0000000D.00000002.3689099181.0000000001507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: rareTemp.exe, 0000000C.00000002.3689257139.000000000124E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Owncloud.exe, 00000000.00000003.1828465732.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Owncloud.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Owncloud.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\config VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\config VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\config VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\config VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rareTemp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\config VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Owncloud.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Owncloud.exe, 00000000.00000003.2066820570.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066735784.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Owncloud.exe, 00000000.00000003.2066638137.0000000000F47000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Owncloud.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected GO Backdoor

Source: Yara match	File source: 0000000C.00000002.3691391127.000000000BCC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BDC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BD5A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3692993598.000000000C1FC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BE17000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3691730893.000000000C52A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3692993598.000000000C1BE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3690303975.000000000BC48000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3694363786.000000000BE80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690308390.000000000C042000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3691409369.000000000C132000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3691409369.000000000C0F6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690308390.000000000C058000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3690303975.000000000BC6B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3691409369.000000000C13E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3692993598.000000000C1D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690308390.000000000C078000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BDAC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3691730893.000000000C542000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1NL2UUTXGRDJBOX6R5AY7089XD.exe PID: 1080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rareTemp.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rareTemp.exe PID: 3388, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: Owncloud.exe PID: 7280, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Owncloud.exe, 00000000.00000003.1992771088.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Owncloud.exe, 00000000.00000003.1857238975.000000000337F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: llets/ElectronCash%
Source: Owncloud.exe, 00000000.00000003.1892407236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: Owncloud.exe, 00000000.00000003.1992771088.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Owncloud.exe, 00000000.00000003.2125492699.000000000338B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.walle
Source: Owncloud.exe	String found in binary or memory: Wallets/Exodus
Source: Owncloud.exe, 00000000.00000003.2125492699.000000000338B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ions\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z"
Source: Owncloud.exe, 00000000.00000003.1992771088.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Owncloud.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Owncloud.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior

Source: Yara match

File source: Process Memory Space: Owncloud.exe PID: 7280, type: MEMORYSTR

Remote Access Functionality

Yara detected GO Backdoor

Source: Yara match	File source: 0000000C.00000002.3691391127.000000000BCC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BDC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BD5A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3692993598.000000000C1FC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BE17000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3691730893.000000000C52A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3692993598.000000000C1BE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3690303975.000000000BC48000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3694363786.000000000BE80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690308390.000000000C042000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3691409369.000000000C132000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3691409369.000000000C0F6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690308390.000000000C058000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3690303975.000000000BC6B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3691409369.000000000C13E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3692993598.000000000C1D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690308390.000000000C078000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BDAC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3691730893.000000000C542000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3692047583.000000000BDCC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1NL2UUTXGRDJBOX6R5AY7089XD.exe PID: 1080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rareTemp.exe PID: 5824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rareTemp.exe PID: 3388, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: Owncloud.exe PID: 7280, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Owncloud.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Owncloud.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Owncloud.exe